I went for the solution as suggested by @Rup in the comments. Replacing the two nonce functions, wp_create_nonce() and wp_verify_nonce() to prefix a nonce with a 1 or a 0 for logged-in and logged-out users respectively. The logged out nonces work by IP rather than User ID and session Token. Thus, allowing for nonces to … Read more
Just use get_delete_post_link( $post_ID ) – it’ll return the absolute URL with nonce and all! Just to be clear, this will get the link to trash posts (if trash supported). If you want to skip trash & get the perma-delete link, pass a second argument of true*. http://codex.wordpress.org/Function_Reference/get_delete_post_link Update: Having checked the source, it seems … Read more
More context would be helpful. Is that all the code found in your plugin or functions file directly? Or are you hooking in to something via add_action. Anyway, what’s probably wrong is that you’re calling wp_localize_script and wp_enqueue_script outside of an action. wp_create_nonce, or, rather, the file in which it resides, has yet to be … Read more
It’s inlineeditnonce. Check line 1185 of admin-ajax.php for details.
I am also under same issues, it not only happen when you update a posts but also when you try to update your profile. Temporary fix: Log out of the wordpress panel. Clear or remove all the cookie. Log back in, remember to check remember me. This seems to solve the issue but as the … Read more
WordPress REST API call generates nonce twice on every call
No, it is not needed. If you want to show the data to some users only, you can use current_user_can( ‘some_capability’ ) to restrict the access.
The API handles the nonce for the form part because you’re using the settings_fields call, which outputs the *-options nonce, and you’re passing the data to the options.php file for saving, which checks that nonce for you before saving the settings. This part the Settings API does indeed do for you. However, your tab code … Read more
Sanitizing is required when you are inserting user input into Database or outputting it in HTML etc. Here, you are simply doing a String comparison. wp_verify_nonce function checks $nonce value like this: if ( hash_equals( $expected, $nonce ) ) { return 1; } For this you don’t need sanitizing. So the following is fine: wp_verify_nonce( … Read more
The “The link you followed has expired” message is in the function wp_nonce_ays on line 2607 of wp-includes/functions.php. Apparently, the message was changed from “Are you sure you want to do this?” in 4.9.5. The wp_nonce_ays function is called by check_admin_referer if the nonce check fails. This is the only place in the WordPress code … Read more