I think required would mean that “it doesn’t work without it”. It will work, but the question is of security and best practices. Even if it doesn’t seem necessary, it’s better to play in the safe side and do it always. You have to enqueue your JavaScript like bellow, passing PHP values (like the admin … Read more
Now I got it! WordPress is just awesome. Also Thank you knif3r, your suggestions help me lot. I am trying to explain it in my words. Please correct me, if I am wrong. What is nonce? Nonce is something like security hash to prevent attacks and mistakes. It creates unique identifiers to check if the … Read more
That is basically the way WordPress does it and pretty much the only way to do it, simply have your receiving PHP function create a new nonce add send it back with your response, then just update the value on your JS before the next round.
1, the nonce lifetime is about 24 hours by default actually. take a look at wp_verify_nonce function. To be more accurate, the lifetime is controlled by filter apply_filters( ‘nonce_life’, DAY_IN_SECONDS ); 2, if the lifetime value makes you doubt if it is “an implementation side-effect”, you may want to add_filter(‘nonce_life’,create_function(‘$v’, ‘return 60*5;’)); to shorten the … Read more
Just add a filter: function change_menu($items){ foreach($items as $item){ if( $item->title == “Log Out”){ $item->url = $item->url . “&_wpnonce=” . wp_create_nonce( ‘log-out’ ); } } return $items; } add_filter(‘wp_nav_menu_objects’, ‘change_menu’);
Short answer: No. You can use normal strings for actions, md5’ing them doesn’t change anything. The nonce is built from three main pieces of information: Time: The current time() divided by 43200 is worked into the nonce. This is what lets the nonce be changed every 12 hours (43200 seconds in 12 hours). The action … Read more
You should pass the special wp_rest nonce as part of the request. Without it, the global $current_user object will not be available in your REST class. You can pass this from several ways, from $_GET to $_POST to headers. The action nonce is optional. If you add it, you can’t use the REST endpoint from … Read more
Difficult to say for sure where the mistake is as you have not mentioned about your add_action(‘wp_ajax_my_function’,’whatever_callback’);which I think you missed out on that. But your question is missing info in this respect. This is how I would get on about this: In your functions.php file or similar: add_action(wp_ajax_handle_login, ‘handle_login_ajax’); add_action(wp_ajax_nopriv_handle_login, ‘handle_login_ajax’); Make sure your … Read more
The REST API included in WordPress doesn’t actually have authentication built into it. If you do normal authentication in WordPress by logging in, then your browser will receive a set of cookies. If you send those cookies along with your request, then that will authenticate you to perform the actions in question. If you need … Read more
I know this question is ancient, but no, it’s not very secure. Anyone with knowledge of the AJAX endpoint would be able to generate valid nonces, which defeats the purpose in the first place. That being said, nonces are a low level defence in the first place: they only stop the simplest of attacks. A … Read more