This is happening because a separate nonce with the action wp_rest is not being sent by the server to the client and received back from the client in an HTTP request header called X-WP-Nonce with every REST request. To get this working, you will have to generate a nonce like this: wp_create_nonce(‘wp_rest’) …and provide it … Read more
For making authenticated API requests from a third party app, you’ll need to install a plugin to give you different methods of authentication. The most convenient but less secure is Basic Authentication: https://github.com/WP-API/Basic-Auth, it’s appropriate for a local development environment. This allows you to make authenticated requests by passing username and password in the body … Read more
that looks good in my eyes. but i just had the same issue, that’s why i stumbled over your question. i fixed it in my case with if (!wp_verify_nonce($_POST[‘nonce’], ‘nonce’)) { die(__(‘Security Check failed’, ‘textdomain’)); } at the very beginning of my ajax action. no idea, where the 403 issue came from, since it worked … Read more
the wp_verify_nonce() keep returning false If you were logged-in to your (WordPress) site when you used the form, then the above is normal. Here’s why so: Your form submits to a custom REST API endpoint (at /wp-json/ilms_plugin/new_membership) and the default authentication method used by the REST API is cookie-based, i.e. it checks if a nonce … Read more
The logic here is incorrect: // Verify this came from the our screen and with proper authorization, because save_post can be triggered at other times if ( !isset( $_POST[‘mrlpt_client_check’] ) && !wp_verify_nonce( $_POST[‘mrlpt_client_check’], ‘mrlpt_submit_client’ ) ) { return; } This reads if the $_POST[‘mrlpt_client_check’] is not set and is invalid – return. You want it … Read more
This is a very basic nonce setup for a plugin: Create your nonce input in the form: wp_nonce_field( basename(__FILE__), $nonce_key ); Then check your nonce once submitted: if ( empty($_POST[$nonce_key]) || ! wp_verify_nonce( $_POST[$nonce_key], basename(__FILE__) ) ) return; basename(FILE) just uses the current filename (eg: plugin_options.php) to create the nonce string. You need to provide … Read more
WordPress nonces are meant to prevent unauthorized execution of code. In the case of meta boxes, they are protecting you against malicious users potentially adding unauthorized meta-information to your posts and pages by forging POST requests. Why wouldn’t you want to use nonces?
You should not. Nonce is used to protect against cross site request forgery attacks (CSRF) in which another aite tries to trick you into submitting a form to your site which will perform some hostile action. Nonces are unique value that can be generated only by a specific site at a specific time and therefor … Read more
Use check_ajax_referer: https://codex.wordpress.org/Function_Reference/check_ajax_referer //Check nonce if ( !check_ajax_referer( ‘nonce-action-name’, ‘_wpnonce’, false ) ){ echo __(‘Ajax Security Check’, ‘yourtextdomain’); die(); }
basically you should not use nonce for non logged in users, and if you have to, then have page can not be cached otherwise users will think there is something wrong with the site. A middle ground is to have short time caching for like 1 minute but good luck with explaining that to most … Read more