That value is a random-ish string generated for one-time use with a lifespan of, if I remember correctly, 12 hours. I am not sure what you mean by “get” the value. Assuming you mean “generate the nonce” then… You want wp_nonce_url or one of the related functions. wp_nonce_url( $actionurl, $action, $name ); For example: wp_nonce_url( … Read more
because the Heartbeat system is mostly orthogonal to the rest of wordpress and therefor it is not really aware what is the content of the pages it runs on. As it is a relatively new system it probably has edges that are not well defined or tested, and if you think there is some weird … Read more
Full page NGINX (or Cloudflare) caching and WordPress nonces
Nonces, AJAX, script variables & security in WordPress
Switch to full SSL for everything. Seriously, it’s way easier than dealing with mixed content.
Specific to nonce there is nothing to worry about as there is a third private parameter which is kept in secret (one of the keys added in your wp_config.php file). In general, there is no such thing as “closed source”, and all code can be read and interpreted by anyone that is willing to dedicate … Read more
You should not use nonce for non logged in users. You should not use nonces in any full or partial page caching scenario. Unlike the impression given many times, just sprinkling nonce here and there with no specific reason do not improve the sites security, and may cause actual problems for non logged in users.
In line 3 of your form markup, you’re passing two arguments to wp_create_nonce when it only accepts one. It’s a simple typo. You’ll want to concatenate the string like so: wp_create_nonce( ‘edit_post-‘. $post->ID ) //dot instead of comma EDIT: I’d suggest you give the nonce field a more specific name than _wpnonce, as this is … Read more
I delete wpApiSettings.nonce at the top of my app.js, perhaps not an ideal solution but it works.
Ok, so technically I didn’t solve the issue that prevented me from accessing posts in draft status from an external domain where the frontend is hosted using only nonce values. My guess is that the logged_in cookie was not set/could not be read on the frontend side to verify the nonce value during an external … Read more