That is basically the way WordPress does it and pretty much the only way to do it, simply have your receiving PHP function create a new nonce add send it back with your response, then just update the value on your JS before the next round.
1, the nonce lifetime is about 24 hours by default actually. take a look at wp_verify_nonce function. To be more accurate, the lifetime is controlled by filter apply_filters( ‘nonce_life’, DAY_IN_SECONDS ); 2, if the lifetime value makes you doubt if it is “an implementation side-effect”, you may want to add_filter(‘nonce_life’,create_function(‘$v’, ‘return 60*5;’)); to shorten the … Read more
Just add a filter: function change_menu($items){ foreach($items as $item){ if( $item->title == “Log Out”){ $item->url = $item->url . “&_wpnonce=” . wp_create_nonce( ‘log-out’ ); } } return $items; } add_filter(‘wp_nav_menu_objects’, ‘change_menu’);
Short answer: No. You can use normal strings for actions, md5’ing them doesn’t change anything. The nonce is built from three main pieces of information: Time: The current time() divided by 43200 is worked into the nonce. This is what lets the nonce be changed every 12 hours (43200 seconds in 12 hours). The action … Read more
You should pass the special wp_rest nonce as part of the request. Without it, the global $current_user object will not be available in your REST class. You can pass this from several ways, from $_GET to $_POST to headers. The action nonce is optional. If you add it, you can’t use the REST endpoint from … Read more
Difficult to say for sure where the mistake is as you have not mentioned about your add_action(‘wp_ajax_my_function’,’whatever_callback’);which I think you missed out on that. But your question is missing info in this respect. This is how I would get on about this: In your functions.php file or similar: add_action(wp_ajax_handle_login, ‘handle_login_ajax’); add_action(wp_ajax_nopriv_handle_login, ‘handle_login_ajax’); Make sure your … Read more
The REST API included in WordPress doesn’t actually have authentication built into it. If you do normal authentication in WordPress by logging in, then your browser will receive a set of cookies. If you send those cookies along with your request, then that will authenticate you to perform the actions in question. If you need … Read more
I know this question is ancient, but no, it’s not very secure. Anyone with knowledge of the AJAX endpoint would be able to generate valid nonces, which defeats the purpose in the first place. That being said, nonces are a low level defence in the first place: they only stop the simplest of attacks. A … Read more
If you read WordPress Nonces in Codex, they have explained it pretty fairly. some of the key points are: always assume Nonces can be compromised. Nonces are a hash made up of numbers and letters. WordPress Verifies any https request with both nonces and user cookies. I believe point #3 is, in short, is how … Read more
The problem with expiring a nonce is that in WordPress, nonces aren’t nonces in the purest sense of the term: “number used once.” Rather, a WP nonce is a (substring of a) hash of a string involving a time signature at the moment it was generated, among other things: user ID, the action name and … Read more