Using nonce external of WP Admin

Nonces are not tied to the admin interface. This codex page explains them very well. Essentially, you add : <?php wp_nonce_field(‘name_of_my_action’, ‘name_of_nonce_field’); ?> in your form (this creates a hidden input field containing an one-time-use token). And where you’re doing the form processing you just check if the nonce is correct if(!wp_verify_nonce($_POST[‘name_of_nonce_field’], ‘name_of_my_action’)){ // no … Read more

How to add/retrieve the post trash link?

Just use get_delete_post_link( $post_ID ) – it’ll return the absolute URL with nonce and all! Just to be clear, this will get the link to trash posts (if trash supported). If you want to skip trash & get the perma-delete link, pass a second argument of true*. http://codex.wordpress.org/Function_Reference/get_delete_post_link Update: Having checked the source, it seems … Read more

Fatal error: Call to undefined function wp_create_nonce()

More context would be helpful. Is that all the code found in your plugin or functions file directly? Or are you hooking in to something via add_action. Anyway, what’s probably wrong is that you’re calling wp_localize_script and wp_enqueue_script outside of an action. wp_create_nonce, or, rather, the file in which it resides, has yet to be … Read more

Should nonce be sanitized?

Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison. wp_verify_nonce function checks $nonce value like this: if ( hash_equals( $expected, $nonce ) ) { return 1; } For this you don’t need sanitizing. So the following is fine: wp_verify_nonce( … Read more