Security around save_post hook

The save_post hook is called every time someone calls the function wp_insert_post(). Plugins do that, unfortunately some themes too, and WordPress itself on several places when …

  • someone uses post per email or XML RPC
  • an auto-draft is created
  • the Quick Draft feature on the dashboard is used
  • a navigation menu item is added
  • a revision is created

You really don’t want to handle all those action without your own verification.

Besides that, nonces should guarantee that an action cannot be repeated by someone who listens to another person’s network traffic. In theory, nonces prevent that. The default WordPress nonces are not very secure in that regard, because they can be reused. But your users might have installed a plugin that creates real nonces. Do you really want to bypass their extra security measures? Probably not.

Related Posts:

  1. WordPress media library allow uploading fake file
  2. How to get WordPress’ hooks/actions run sequence?
  3. How many times can I hook into the same action?
  4. Is there a hook before the user is authenticated?
  5. Hook into WordPress update?
  6. Verify nonce in REST API?
  7. switch_to_blog(): Load textdomain
  8. Can I hook inside another hook?
  9. Adding function directly vs using hook in function.php
  10. How can I send to multiple Contact Form 7 recipients based on form input? [closed]
  11. What is the action hook for save media-form on gallery tab?
  12. Check if action hook exists before adding actions to it
  13. Handling nonces for actions from guests to logged-in users
  14. Post-Registration, post-meta hook?
  15. Removing action added from constructor
  16. Security – Ajax and Nonce use [closed]
  17. after login that will redirect user role into a page
  18. Create hooks based on an array of hook names?
  19. Access post meta just after publishing
  20. How and why can a hook call itself without causing recursion?
  21. Is This A Correct Example Usage Of current_filter()?
  22. Seeking Hook Whenever a Custom Taxonomy Term Has Been Added
  23. How can i trigger an action manually?
  24. Can I trigger the publish_post hook by using wp_insert_post?
  25. WooCommerce New customer email Hook? [closed]
  26. When is it useful to use wp_verify_nonce
  27. admin_notices not working in post editor
  28. How to detect when a user changes their name?
  29. How to check what kind of saving it is?
  30. Override wp_delete_post and move to trash instead for custom post type
  31. Nonce actions and names available via open source
  32. How do I grab specific posts (by post id) and display the title, featured image, and excerpt?
  33. Empty Super Cache programmatically (with ACF action) [closed]
  34. Hook all http requests
  35. Setting Cookie with init hook causes ‘header already sent’
  36. How do I check if AJAX nonces are implemented correctly?
  37. Is there an “Add Page” hook?
  38. How To Make Sure That My Action Hook Executes Last
  39. Does update_comment_meta hook exists?
  40. how to determine how many and what kind of arguments are passed to hooks
  41. Can not set custom title on some WordPress setups
  42. BuddyPress User Profile Menu
  43. How to hook in after user’s registration email has been sent?
  44. Checking post format during xmlrpc_publish_post
  45. Hook for when a page template is changed
  46. Append a code when at the current page in wp_list_pages()
  47. Footer.php being inserted before article closing tag?
  48. Get all posts with a duplicate name
  49. Save acf field data via acf/save_post before post is saved
  50. Above-the-fold inline styles from SASS generated stylesheet
  51. Redirect in form handler causing form to be submitted twice
  52. Checking login status before wp_get_current_user is initialised
  53. Add media library tab
  54. Conditional hook [closed]
  55. Add_menu_page() error message -> “You do not have sufficient permissions to access this page”
  56. Where is the right place to register/enqueue scripts & styles
  57. Displaying list of cities according to the selected state. Using the WordPress hook
  58. Removing parent theme action on pluggable function not working
  59. Removing a Filter
  60. Which action hook should I use to intercept a form upon submission?
  61. Would there be anything stopping me from removing both wp_head and wp_footer?
  62. Where Are Hooks?
  63. WordPress wp_loaded action hook
  64. Check if `do_action()` in WordPress returns any result
  65. How to cancel an action hooked to untrash_post? or any hook
  66. add_action hook for publish_post not working
  67. Modify Notification Message When Profile Updated
  68. WordPress plugin activation, deactivation and uninstall hook not being triggered
  69. Hook for inserting?
  70. How to stop WordPress from updating the post meta
  71. Using nonce when loading posts with AJAX
  72. Can an RSS item be altered with a hook?
  73. Block Update Profile Errors
  74. Thickbox ‘tb_unload’ function being called twice
  75. How to remove a meta description or other contents
  76. Hooking save_post breaks check for term in added_term_relationship hook?
  77. Restrict editing of post type to list stored in user meta
  78. Delay action unltil the untill previous (hoocked) action is completed
  79. Rewrite the search page to use an appended slug + parameter
  80. What is the hook to remove a menu items group from Appearance > Menus column Add menu items
  81. Add stuff above header edit form
  82. do_action not working in loop
  83. add_action doesn’t work for my function
  84. Add HTML code before the title of the Tag page
  85. WP_mail() Issue. Duplicate emails if $_GET[‘A’] == email
  86. Hooks with same priority number. Can one stack items returned in divs, position: absolute each with their own z-index?
  87. trying to locate the correct file to edit my internal linking anchor tags
  88. Can add_image_size be added earlier
  89. Hook to change Author Info
  90. Send email to post author 1 day before his project ends
  91. can’t access dashboard and showing forbidden page
  92. prepopulate form from a hook within wordpress function.php file
  93. Query author’s posts & posts that have author’s id as meta value
  94. Change Title Type
  95. admin_post hook not working
  96. What is meaning of BEFORE and AFTER in this hook name?
  97. How to display before H1 Title
  98. How to set Post ID from context to an attribute in child block of Gutenberg Query Loop
  99. How can I get the ID before after_setup_theme?
  100. Hook on opening a media/document

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)