you should not use nonce on public pages. Nonces should protect against action which can perfom things the user might regret that they were done without his explicit consent. While the user might also regret sending some kind of “contact form” that is more of a mental thing, not something that can be solved with … Read more
If something on the page expires sooner than that pages cache then you will end up in this situation or an analogue/equivalent situation. So in the strictest sense the answer is a hard no. Either the nonce expiration has to increase, making the nonce less secure, the cache has to decrease so that the things … Read more
There are two ways of creating nonce verification for $_GET parameters: If you are coming from a form, you can use the wp_nonce_field function to create your own field. For example: <form action=”edit.php” method=”get”> <input type=”text” name=”example”> ….. <?php wp_nonce_field(‘my_custom_action’, ‘my_custom_name’); ?> <input type=”submit” value=”Submit”> </form> If you are coming from a link you created, … Read more
In order for the nonce verification to work, I needed to replace this: wp_verify_nonce( wp_unslash( $shared_post_data[‘lot_edit_nonce’] ), plugin_basename( __FILE__ ) ) with this: wp_verify_nonce( wp_unslash( $shared_post_data[‘_wpnonce’] ), ‘bulk-posts’ )
Nonces don’t store absolute time, but the number of ‘ticks’ since the start of the unix epoch, where each tick is half a day long by default. To check a nonce, WordPress generates the current and previous nonces and compares the result to the value you passed in. This means that the nonce lifetime needs … Read more
Instead of adding the nonce_life filter and then immediately removing it, try telling WordPress that the lifetime for your nonce is 30 seconds. add_filter( ‘nonce_life’, ‘wpse426626_my_nonce_lifetime’, 10, 2 ); /** * Sets the nonce lifetime for the creacomments nonce. * * @param int $lifetime The nonce lifetime. * @param string $action The nonce action. * … Read more
How to stop a nonce from being cached in an inline script, or alternatives to regenerate it if expired?
In a headless WordPress setup where you are using JWT for authentication, the standard nonce mechanism provided by wp may not directly fit your needs, especially when dealing with preview functionality. The nonce generated by wp is typically tied to the users session, which is not compatible with JWT authentication. One approach to solve this … Read more
As mentioned I wasn’t able to find it explicitly mentioned, although it was implied in some articles, that it was being done. When using the settings_fields( string $option_group ) wordpress function you can see from the source code that it includes a nonce field: https://developer.wordpress.org/reference/functions/settings_fields/ function settings_fields( $option_group ) { echo “<input type=”hidden” name=”option_page” value=”” … Read more
In WordPress, nonces (number used once) are security tokens that help protect against CSRF (Cross-Site Request Forgery) attacks. Nonce verification is generally recommended for actions that involve user interactions to ensure that the request is legitimate and not forged by a malicious party. When it comes to custom bulk user actions in WordPress, nonce verification … Read more