As I understand, this plugin uses wp_rest action for nonce and it means that the nonce used is global for the whole JSON REST API. Am I correct here? Yes, it’s not the plugin that needs the nonce, it’s WordPress itself, and it needs other things too such as cookies from an active login session, … Read more
Don’t know if it’s best practice but i had a similar issue and I ended up checking by custom sql query to check if the title already exists in my post type and filtered duplicate posts and i hooked that to wp_insert_post_data filter hook. add_filter(‘wp_insert_post_data’,’prevente_duplicates’); function prevente_duplicates($data,$postarr){ $count = $wpdb->get_results($wpdb->prepare(“SELECT count(id) FROM $wpdb->posts WHERE post_type=”MY_POST_TYPE_NAME” … Read more
Why are you using the edit.php page for this export link? The edit.php code appears to be checking on the “bulk-posts” nonce, which is probably where your failure is, since you’re not using that nonce. You should probably be using post.php instead, or a more general hook with your action.
I found the answer – this contains sample code which helped me resolve the issue. https://codex.wordpress.org/WordPress_Nonces
No, there isn’t any point in that. All docs relating to metaboxes are probably inspired from the wrong code at the codex which use a nonce. The problem which nonces in metabox inadvertently solve is avoiding data corruption when the quick edit feature of the posts list page is used (or thinking about it any … Read more
A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise. WordPress nonces aren’t numbers, but are a hash made up of numbers and letters. Nor are they used only once, but have a limited “lifetime” after which they expire. During that time period the … Read more
Yes it is correct. Escaping should be done based on context, and since wp_nonce_url() is used in an hrefas proper url, you should use esc_url.
Problem is, you are submitting data as POST data, but verifying nonce from GET data. Here is how you can create a nonce field in a form easily: wp_nonce_field( ‘add_new_addres’ ); Actually, I personally don’t use more than 1 parameter when calling the wp_nonce_field function. Then when verify use the following code: if ( ! … Read more
For making authenticated API requests from a third party app, you’ll need to install a plugin to give you different methods of authentication. The most convenient but less secure is Basic Authentication: https://github.com/WP-API/Basic-Auth, it’s appropriate for a local development environment. This allows you to make authenticated requests by passing username and password in the body … Read more
the wp_verify_nonce() keep returning false If you were logged-in to your (WordPress) site when you used the form, then the above is normal. Here’s why so: Your form submits to a custom REST API endpoint (at /wp-json/ilms_plugin/new_membership) and the default authentication method used by the REST API is cookie-based, i.e. it checks if a nonce … Read more