You do not need to use check_admin_referer. If you are using the Settings API then WordPress handles nonce checking and saving data to the database. In terms of data validation, the only thing you need to provide is a validation callback. This callback receives all inputs with name specified in the second argument of register_setting … Read more
wp_create_nonce is a pluggable function loaded after plugins are loaded. Be sure to call your class method on proper hook, ‘init’ (or later) is a good place: once your function output something (a form) there is no reason to run earlier than that.
To verify nonces in Ajax requests, check_ajax_referrer() should be used instead of wp_verify_nonce(): Crete the nonce: $nonce = wp_create_nonce( ‘vote-nonce-‘ . get_the_ID() ); Include it in JavaScript: jQuery(document).ready(function(){ jQuery(“.post-voting”).click(function(){ vote_nonce = <?php echo $nonce; ?> vote_id = jQuery(this).data(‘vote-id’); jQuery.post( vote_ajax.url, { action: ‘submit_vote’, vote_id: vote_id, vote_nonce: vote_nonce }, function( data ) { alert( jQuery.parseJSON(data) ); … Read more
As time varies, WordPress needs to allow for a nonce generated at 10:01 AM to be valid at 10:02 AM. It does this by using a time “tick” instead of the actual time, which is generated in two steps: First divide the lifespan of a nonce, in seconds, by two Divide the Unix timestamp by … Read more
I know it pasts a long time of this question. But I had the same issue and it was difficult for me to find some documentation about it. I had the same problem, for some reason wp_create_nonce and wp_verify_nonce they bot retrieve different hash. So I notice the problem was the $User->ID or $uid that … Read more
The true reason of not using nonces for non logged in users, is that it adds a pointless burden on their usage as they need to refresh the page when the nonce expire, and the only way they will know that they need to do it is when something do not work. There is probably … Read more
When trying to create a custom metabox, adding custom columns, managing custom columns and finally saving the post. Where do we need to pass the nonce. To make my question clearer. This is not correct, you shouldn’t need a nonce in a metabox because all that information is sent at once in the full request … Read more
If you use nonces properly, it won’t be possible to make the site to process fake request… So this part should be secure, but… There is still one security flaw in your approach… What if I can make you to run my JS script in your browser, while you’re logged in as admin? It is … Read more
Found out what the problem was. Polylang plugin verifies the nonces, so you need to pass it the ‘new-post-translation’ arg. The solution is: wp_nonce_url( $link, ‘new-post-translation’ ); it might help someone, but maybe no 😉
Despite you already figured it out or found a solution, since this is a follow-up to the other question, I thought it’d be benefecial to post this answer, so hopefully it helps you. =) WordPress uses the native setcookie() function in PHP for setting the authentication cookies, and $_COOKIE for reading the cookies values. But … Read more