Confusion on WP Nonce usage in my Plugin

Nonces are one time use limited life unique numbers. You can clone them but the problem you’ll see is that once sent back to the server and validated, the other clones will become invalid.

You have a few ways to handle this.

  1. Generate all your boxes on the server and discard the Javascript.
  2. Use Ajax to request a new nonce for each cloned box.
  3. My preferred choice, Use Ajax to request the server to create the clone.

Either way, your nonce needs to come from the server. The way WP handles this (for it’s Categories metabox for example) is to generate the Nonce name from the taxonomy name. You could use possibly the post value or image name for this.

<?php wp_nonce_field('add-' . $name, 'add-' . $name . '_nonce', false); ?>

Doing this would also require you to store the $name within a hidden field on your page.

<input id="<?php echo $name; ?>" type="hidden" value="add-<?php echo $name; ?>" />

From within your Ajax send both the unique name and the nonce back to the server validate and return whatever you want.

As for your other question “Is the nonce necessary?”. Well, it depends. I would suggest, any time you make changes to your database from form data, then yes they are required. If you’re only retrieving data, then no they’re not. But they will still come in useful for invalidating requests that may have been bookmarked or cached somewhere. I can’t remember exactly, I think their lifetime is about 12 hours.

Related Posts:

  1. Nonces can be reused multiple times? Bug / Security issue?
  2. Nonce in settings API with tabbed navigation
  3. wp_nonce_field displaying twice
  4. How to store username and password to API in wordpress option DB?
  5. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  6. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  7. Can someone explain what wp_session_tokens are, and what are they used for?
  8. WordPress and PHP Sessions – Security and Performance
  9. What is the difference between esc_html and wp_filter_nohtml_kses?
  10. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  11. Log in from one wordpress website to another wordpress website
  12. WordPress REST API call generates nonce twice on every call
  13. Escaping built-in WP function return strings
  14. What is the difference between strip_tags and wp_filter_nohtml_kses?
  15. WP Cron doesn’t save or in post body
  16. WordPress restrict plugin file direct access
  17. Plugin development: is adding empty index.php files necessary?
  18. WordPress password reset – why post rp_key?
  19. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  20. Correct way check nonce (security) using old Options API
  21. Verify Nonce returns false – Request Nonce returns correct value
  22. Why do I need to check if wp_nonce_field() exists before using it
  23. Is there any way to check for user login and send him to login?
  24. WordPress security issue to output data from user input from theme option form
  25. Maximum lifetime for nonce
  26. Verify if user is wordpress logged in from another app since wordpress 4.0
  27. wp_create_nonce function doesn’t work inside a plugin?
  28. Secure Pages Best Practice
  29. Passing nonce at admin menu link
  30. Securing/Escaping Output of file content – reading via fread() in PHP
  31. Is nonce in PHP form and Ajax both necessary?
  32. Custom login doesn’t work properly
  33. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  34. Video Security just like facebook [closed]
  35. Is disabling test_form in wp_handle_upload a security concern?
  36. How to connect my wordpress plugin to a remote database securely?
  37. Is it necessary to do validation again when retrieving data from database?
  38. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  39. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  40. add_submenu_page hooked function must explicitly check user capabilities – why?
  41. Are there any security risks when submitting data-attribute data through AJAX?
  42. The Correct Way to Use Nonce Field without Settings API
  43. Why would you use esc_attr() on internal functions?
  44. How to use nonce
  45. Where to use nonce
  46. Is it possible to use WP-CLI in a plugin (or theme)?
  47. Secruity Questions on a timer
  48. Using HTML links within translatable string
  49. How can I save a password securely as a settings field
  50. Using password protection to load different page elements?
  51. WP_List_Table Inside Metabox With Bulk Actions Not Working on Submit
  52. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  53. How to store sensitive user data (passwords)
  54. How do I make secure API calls from my WordPress plugin?
  55. esc_attr() on hard coded string
  56. how to add security questions on wp-registration page and validate it
  57. Experts opinions needed: How (in)secure is this approach?
  58. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  59. wp_verify_nonce fails always
  60. Data Validation, dynamically generated fields (select for example)
  61. esc_url, esc_url_raw or sanitize_url?
  62. Saving metabox updates causing fatal error
  63. What process do you use for WordPress development? [closed]
  64. Where to put third party PHP library?
  65. Add a new tab to WordPress Plugin install Listing
  66. Export data as CSV in back end with proper HTTP headers
  67. How to integrate a PHP webmail script into the backend of WordPress?
  68. Can I add pages to my custom menu via script?
  69. Save user-specific options in WordPress admin
  70. Why is print_r returning $classObj->userObj in several places on site
  71. use __($str) to translate strings (symfony/twig)
  72. Activation hook not creating table
  73. wpColorPicker is not a function!
  74. How to display non-page / post content
  75. Mixing Regular Javascript With jQuery in a Plugin
  76. Plugin Upgrade Strategy
  77. Which are the hooks run before/after when a category’s deletion?
  78. Disable The Events Calendar plugin from loading its scripts
  79. get_the_excerpt() not working in plugin loop
  80. How to analyze wordpress plugin performance
  81. Jquery was not found on this server
  82. How to prevent plugins from sniffing/stealing other plugins’ options?
  83. How to create a digital product download link that can’t be used twice?
  84. How to change a field in database through a submit button or Checkbox? [closed]
  85. Grandchildtheme (plugin) add header.php (not exist in child theme)
  86. $wpdb->update Issue
  87. How to make every image title equal to alt text(wordpress/woocommerce)?
  88. Load specific page when a custom URL is hit
  89. Trying to rename a file upload as the hash of file content on wordpress
  90. Getting products information, in woocommerce based on products ID
  91. Fatal error: Uncaught Error: Using $this when not in object context
  92. How can I measure CPU and RAM used by my theme or plugin
  93. want to confirm popup with “Yes” and “No” button when user click on add to cart
  94. Modify search form with plugin
  95. When using an options array the Settings API isn’t creating the database record
  96. the correct way to use options from settings page [closed]
  97. On one of my sites a file is shown as 404 but the file IS there
  98. Extend WP_List_Table class – Edit wp_usermeta – WPPB.me Boilerplate – Action error
  99. Return custom product in ajax call loop
  100. Is using upgrader_process_complete the correct way to perform plugin updates?