WordPress nonces are not your usually (‘use only once’) nonce. For a given $action
, a new nonce is generated at every 12 hours and a nonces are valid for 24 hours, so at any given point there are two nonces valid for a given $action
.
The nonce is (a substring of) a hash of
$action
– the action$uid
– the user ID$i
– incrementor.
The increments increases by 1 every 12 hours, so if the current nonce for a given user and action is a substring of
wp_hash($i . $action . $uid, 'nonce')
Then the previous nonce (for same user and action) is a substring of
wp_hash(($i - 1) . $action . $uid, 'nonce')
Since both are valid nonces, when you check your received $nonce
you check both for a match.