For making authenticated API requests from a third party app, you’ll need to install a plugin to give you different methods of authentication. The most convenient but less secure is Basic Authentication: https://github.com/WP-API/Basic-Auth, it’s appropriate for a local development environment. This allows you to make authenticated requests by passing username and password in the body … Read more
the wp_verify_nonce() keep returning false If you were logged-in to your (WordPress) site when you used the form, then the above is normal. Here’s why so: Your form submits to a custom REST API endpoint (at /wp-json/ilms_plugin/new_membership) and the default authentication method used by the REST API is cookie-based, i.e. it checks if a nonce … Read more
What you are doing wrong is using nonce in a context it was not intended to be used in. nonces should be used on web pages for logged in users, not just a random “it has something to do with security so it has to be right” kind of measure ;). If you need to … Read more
wp_nonce_field() means the nonce field is used to validate that the contents of the form came from the location on the current site and not somewhere else.
Nonces are not magic bullet that by simply applying it everywhere your site get more secure. Talking broadly, nonce should be applied only to logged in users, and serve little purpose when applied to non logged in. Even for logged in users, there might be situations in which nonces are just not needed (like when … Read more
This question still unanswered for long time. I answer it if anyone reaches here, just in case. When you are using WP_List_Table (perhaps by extending the class), the generated code for single delete and bulk delete differs. The single delete is sent over a GET request by setting query params, but the bulk delete is … Read more
x-wp-nonce across domains
In the JS script, include the nonce in data, as in the following example: jQuery(document).ready(function($){ data = { action: ‘hello’, token: $( ‘#token’ ).val() } $(‘#stupid_form’).submit(function(){ $.post(ajaxurl, data, function(response){ $(‘#response’).html(response); }); return false; }); }); Additional Note <?php wp_nonce_field(‘hello’, ‘token’); ?> generates a hidden input with a markup similar to: <input type=”hidden” id=”token” name=”token” value=”d9e3867a0e” … Read more
The basic idea for debug here is that theme apparently influences something it totally should not. Either something is done in a wrong way or in a wrong place. Check that theme is not running any functionality directly in functions.php. Check that all of theme’s functionality runs on appropriate hooks. For hooks that are used … Read more
You should not use nonce for non logged in users. You should not use nonces in any full or partial page caching scenario. Unlike the impression given many times, just sprinkling nonce here and there with no specific reason do not improve the sites security, and may cause actual problems for non logged in users.