This issue arrises because of a couple of problems: 1) WP_List_Table::search_box() inserts the default _wpnonce and _wp_http_referer fields by using wp_nonce_field() without giving you the ability to override and say “I’ve already go a nonce field thanks”. 2) You need to use GET as your method of form submission when subclassing WP_List_Table because WP_List_Table::print_column_headers() only … Read more
For restricting access to your REST API endpoint, you can use the permission_callback parameter like so: register_rest_route( ‘rw-user/v1’, ‘/log-out’, array( ‘methods’ => ‘POST’, ‘callback’ => ‘ajax_logout’, ‘permission_callback’ => function () { return current_user_can( ‘read’ ); }, ) ); And that will require the current user to be logged into WordPress and also the REST API … Read more
The nonce authentication method is only for requests made from within WordPress, as described in your own link (emphasis mine): It is important to keep in mind that this authentication method relies on WordPress cookies. As a result this method is only applicable when the REST API is used inside of WordPress and the current … Read more
Security – Ajax and Nonce use [closed]
Yes, using that filter will affect the lifespan of all nonces created after this filter is added, and while it remains in-place. So your best bet is to add it, create the nonce, remove it: function my_nonce_lifetime() { return 600; // 10 minutes } add_filter( ‘nonce_life’, ‘my_nonce_lifetime’ ); $nonce = wp_create_nonce(‘wp_rest’); remove_filter( ‘nonce_life’, ‘my_nonce_lifetime’ );
This message is raised by wp_nonce_ays() which is called by check_admin_referer(). Your browser has probably not sent a referer header, so WordPress could not validate the nonce. This may be a problem in your browser settings or your network connection.
In theory yes, but it will be a very bad thing to do. For that you will need to have the secret used to generate the nonce at site A in site B which means tht if site B is compromised site A might be as well (there is also some time synchronization that needs … Read more
Depends, will the form work with AJAX turned off? If so use an input and degrade gracefully. Otherwise, define nonces used by JS using JS for consistency, and to prevent grabbing stuff from the DOM
I figured it out. Simply, in my request, under data, I added “nonce” : “<?php echo wp_create_nonce( ‘refresh_my_plugin’ ); ?>” then to verify if (isset($_POST[‘refresh_my_plugin’])) if ( wp_verify_nonce( $_POST[‘nonce’], ‘refresh_my_plugin’ ) ) refresh_my_plugin(); With incorrect wp_verify_nonce, I instead get a 403, which is reflected on the button with the error handler.
Nonces are not tied to the admin interface. This codex page explains them very well. Essentially, you add : <?php wp_nonce_field(‘name_of_my_action’, ‘name_of_nonce_field’); ?> in your form (this creates a hidden input field containing an one-time-use token). And where you’re doing the form processing you just check if the nonce is correct if(!wp_verify_nonce($_POST[‘name_of_nonce_field’], ‘name_of_my_action’)){ // no … Read more