You’re not using nonces right – you need to match the nonce action & name that WordPress checks in core for deleting a user. Taken from the source of WP_Users_List_Table: wp_nonce_url( “users.php?action=delete&user={$post->post_author}”, ‘bulk-users’ )
You might be a little confused as to the purpose and function of nonces in WordPress. Recommended reading: WordPress Nonces An Introduction to WordPress Nonces with Examples Protect_Queries_Against_SQL_Injection_Attacks A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise. Nonces help you ensure, somewhat, the … Read more
Your code is incorrect in some subtle ways but to get why we first need to get back to what is a nonce in wordpress and what does it protect against. A Nonce by the common definition is a number used only once and it is meant to fight replay attacks. In a replay attack … Read more
In the JS script, include the nonce in data, as in the following example: jQuery(document).ready(function($){ data = { action: ‘hello’, token: $( ‘#token’ ).val() } $(‘#stupid_form’).submit(function(){ $.post(ajaxurl, data, function(response){ $(‘#response’).html(response); }); return false; }); }); Additional Note <?php wp_nonce_field(‘hello’, ‘token’); ?> generates a hidden input with a markup similar to: <input type=”hidden” id=”token” name=”token” value=”d9e3867a0e” … Read more
The basic idea for debug here is that theme apparently influences something it totally should not. Either something is done in a wrong way or in a wrong place. Check that theme is not running any functionality directly in functions.php. Check that all of theme’s functionality runs on appropriate hooks. For hooks that are used … Read more
After some fiddling and sparring with @t-todua I found the issue: With the Fetch API fetch call you must manually set to send cookies with a request. After setting the credentials option properly the cookies were sent and the AJAX endpoint recognized the current user. So the JS becomes: var msg = ”; // I’m … Read more
When you choose “Your CPT > Add New”, WP calls get_default_post_to_edit(), which actually creates an “empty” post (with ‘post_status’ => ‘auto-draft’) and then calls wp_insert_post(). This is what is causing your save_datasheet_meta() function to be called before you think it should. Hence, generally you should add some additional sanity checks to the beginning of any … Read more
Nonces should be used to verify intent of the user, especially on destructive actions. Imagine there is a link user can click to delete a post. User can do it, so when they click is a post gets deleted. Now imagine someone else tricks user into clicking this link (look at this cat pic!). User … Read more
Based on the authentication documentation here – a nonce key needs to be passed with each request. So if the nonce key is being cached on the frontend beyond its lifespan, you will need to hook into the API request before the authentication step and replace the cached nonce key with a valid one. WordPress … Read more
You need to pass the action to check your nonce against, wp_verify_nonce has two parameters. if($_POST && wp_verify_nonce($_REQUEST[‘test_slider_options_nonce’],’test_slider_action’)) echo “TEST”;