Articles of nonce

Nonce for Trashing Item

I have a custom admin page. On it, I have created a filtered list of the custom post type based on postmeta data. I have to create a link to delete that post. I am trying to figure out how to create the link with a nonce. sprintf(‘<a href=”post.php?post=%s&action=%s&_wpnonce=%s” class=”link-course-delete”>Trash</a>’,$item[‘ID’],’trash’,wp_create_nonce(???)) I am not sure what […]

Several nonces?

Is there a point having several nonces? Does it increase the security? E.g adding nonces to meta boxes while <form> (which is basically the whole add/edit post screen) already has one by default. Docs, tutorials and old answers all insist adding nonce when you’ll make a custom meta box Like I said, WordPress already adds […]

Using nonce when loading posts with AJAX

This is more of a security question. I have a blog layout that has a loader at the bottom of my posts, and when you get to it, ajax call will be triggered, it will call the function that will render more posts. This all works. But one thing is bothering me: should I use […]

wp-admin AJAX with Fetch API is done without user

TL;DR – Why is my user account not logged in during an AJAX request which is made inside wp-admin? I have the following setup: <?php add_action(‘wp_ajax_foobar_action’, ‘foobar_action’); add_action(‘wp_ajax_nopriv_foobar_action’, ‘foobar_action’); function foobar_action() { check_ajax_referrer(); wp_send_json((object) [‘msg’ => ‘hello world’]); } add_action(‘admin_print_scripts’, function () { printf(‘<script type=”text/javascript”>window.custom_nonce = “%s”;</script>’, wp_create_nonce()); }); And in JS: var msg = […]

How to add a WordPress Nonce for this form to avoid CSRF

Here is the Form and I would like to add a WordPress nonce to it: <form action=”” method=”post”> <label>Enter your email address:</label> <input id=”email” type=”email” name=”yourmail” value=”<?php echo $current_user->user_email; ?>” disabled=”disabled”> <input type=”submit” name=”submit” value=”Test”> </form>

Stop WordPress nonces expiring

I would like to have nonce key forever, i don’t want to change or refresh. Any idea? add_filter( ‘nonce_life’, function () { return 4 * 1000000000000000000; } );

Help with forms and nonces

I am trying to create a nonce to use with a (public-facing) form. Below is my code: function my_form() { if (isset($_POST[‘submit’])) { $name = $_POST[‘name’]; $description = $_POST[‘description’]; $output_form = false; if (wp_verify_nonce($_POST[‘added’], ‘add-item’) ) { //validate echo ‘form submitted with nonce correctly’; } } else { $output_form = true; } if ($output_form) { […]

Forms and WordPress Nonce

WordPress nonce is driving me nuts! I had this problem when I started my plugin and removed it but now I have come back to it and still don’t know what to do. I have looked all over for a solution. My code is same/similar to other examples. I get an “undefined index ‘mrlpt_client_check’” error. […]

Why do Metabox use Nonces?

Why is it advised for admin panel metaboxes to use nonces? Every example I see of creation and saving metabox data there are nonces involved but aren’t nonces a bit unnecessary in this case?

Nonce doesn't validate in nopriv call

I have a function which uses Ajax calls: function bs_reserve_gift() { if (!wp_verify_nonce($_POST[‘_wpnonce’], ‘reserve_gift’)) { $response[‘status’] = ‘error’; $response[‘message’] = __(‘Something went wrong, please try again later!’, ‘bs’); echo json_encode($response); exit(); } else { update_post_meta($_POST[‘reserve_gift_id’], ‘gift_status’, ‘reserved’); $response[‘status’] = ‘success’; $response[‘gift_id’] = $_POST[‘reserve_gift_id’]; $response[‘message’] = __(‘Thank you, the gift was reserved for you!’, ‘bs’); echo […]