Should I use wp_nonce_field on my contact form?

You should not. Nonce is used to protect against cross site request forgery attacks (CSRF) in which another aite tries to trick you into submitting a form to your site which will perform some hostile action.

Nonces are unique value that can be generated only by a specific site at a specific time and therefor can not be guess by the attacking site. What you do is generate a nonce and add it to your form when you generate the HTML for it and validate that it is actually was generated by your site at a reasonable time frame before attempting to handle it.

As contact form should not do anything more then store info in the DB or send a mail there is no point in protecting them agains CSRF. for 99% of the time it will make no dfference for the user but as konstantin points out if caching is used somewhere either by a caching plugin or some caching server out of your control (most ISPs probably has one) you might supply to the user a stale nonce which will fail validation and prevent users from submitting the form.

Related Posts:

  1. Is wp_nonce_field vulnerable if you know the action name?
  2. Nonce actions and names available via open source
  3. Nonces and Cache
  4. Can I verify nonce which was generated on a different WP site?
  5. When is it useful to use wp_verify_nonce
  6. Help with forms and nonces
  7. not logged in users can’t submit form
  8. wp_create_nonce function doesn’t work inside a plugin?
  9. Using Contact Forms to Send Private Information [closed]
  10. Can you have more than one nonce on a page?
  11. How to stop direct HTTP POST to a PHP script?
  12. Should wordpress nonce be placed in html form or in javascript file
  13. whether a nonce is required for get type and get_query_var?
  14. CSRF attack to create USER
  15. Passing form data on submit
  16. wp_nonce for Front-End submission form not working
  17. How to include landing page with form submission?
  18. How to edit a user profile on the front end?
  19. wp_verify_nonce vs check_admin_referer
  20. Is it safe to assume that a nonce may be validated more than once?
  21. Multiple ajax nonce requests
  22. Autocomplete for taxonomy input boxes on a front end form
  23. set_query_var doesn’t seem to work on init hook
  24. How to send multipart form data to WordPress endpoint
  25. Placeholders in Jetpack Contact Form [closed]
  26. Security around save_post hook
  27. Loading scripts & styles from a meta box callback function
  28. Confusion on WP Nonce usage in my Plugin
  29. Looking for a simple approach for handling user $_POST data without AJAX?
  30. How to return variables from admin-post.php
  31. Setting specific image size for specific form upload file field
  32. Get data from dropdown and update page
  33. How to Process Form Request
  34. Security checking in meta_box save is reluctant?
  35. How Could I sanitize the receive data from this code
  36. limit characters when posting from form
  37. Adding data to an array in usermeta and displaying it in a loop
  38. WP Admin AJAX Security – using POST to include a relative URL
  39. ajax nonce verification failing
  40. Create form on plugin options page that creates submenu pages for that plugin
  41. Contact Form 7 – Add a Info Text to Checkboxes/Radiobuttons [closed]
  42. Post submit using shortcode and init
  43. Form Security: nonce vs. jQuery
  44. Password protected page with a form submits for me fine but for others redirects them back to the password prompt
  45. What form element names break wordpress?
  46. I am trying to grab the title and put it in a paypal form select option
  47. How to add required fields in user profile admin page?
  48. Java code/ JSP page in wordpress
  49. how to add a custom form in a page
  50. Form Submission Warning: Cannot modify header error only when plugin is deactivated
  51. Create a registration form with a PayPal checkout fee? [closed]
  52. comment form name and email not working?
  53. Sort populated GravityForms list alphabetically [closed]
  54. Checkboxes in a wordpress form are not showing as checked when selected [closed]
  55. Radio&Checkbox buttons Contact form 7 not clickable
  56. Complex Timesheet Form
  57. How to add a placeholder to the protected post password input
  58. How to change a form end email?
  59. Saved emails at dashboard
  60. Fatal error: Call to undefined function wp_insert_post()
  61. Simple form validation for custom post type in front end. Not working
  62. WordPress Frontend Post Form (Bootstrap Modal) Not Creating Post
  63. Inquiry form like on URL [closed]
  64. Update user meta on custom wordpress form and redirect
  65. Headers already sent on a frontend post form using wp_redirect before get_header
  66. Email from my theme’s contact form doesn’t get the reply-to address right
  67. Can I have two submit buttons in one form? [closed]
  68. how do i make the “contact us” on a page created not to display
  69. Email form getting hacked
  70. sending form with time interval
  71. How to redirect a Link to a new tab in contact form 7?
  72. how do I hide or encrypt query strings for gravity forms
  73. Why is my contact form not working?
  74. Save and retrive data from a custom form to database
  75. WPAdverts – How to limit form submission 10 per month
  76. Using an iframe for a form help
  77. How to call or add password input / generate password / password strenght meter in custom registration form?
  78. Need to show results on the frontend of an admin form
  79. Form data being sent to parent directory
  80. fetch custom post if meta key exist
  81. Create a custom calculator in wordpress
  82. How to stopping auto scrolling after submitting the form?
  83. Ajax Security regarding user priviliges and nonces
  84. Preventing form resubmission on contact form plugin
  85. Plugin to get a result based on form checkbox
  86. How to handle dynamic form data with repeating fields?
  87. Passing input value into name of input
  88. wp_insert_post with POST data
  89. Adding a “Report the post” button/form?
  90. wordpress not saving form code in code editor
  91. Create register form plus send post
  92. Auto populate a Form
  93. Submit button returns to index page instead of sending data
  94. How do I register user without being authenticated
  95. How to add or double field?
  96. Custom form validation
  97. How to manage to submit WPForms at our webpage
  98. Adding default quicktags to textarea
  99. How can I get lost form data back? [closed]
  100. Forminator + Hubspot Workflows