wp_verify_nonce return false despite correct parameter passed

the wp_verify_nonce() keep returning false If you were logged-in to your (WordPress) site when you used the form, then the above is normal. Here’s why so: Your form submits to a custom REST API endpoint (at /wp-json/ilms_plugin/new_membership) and the default authentication method used by the REST API is cookie-based, i.e. it checks if a nonce … Read more

Cannot verify nonce

What you are doing wrong is using nonce in a context it was not intended to be used in. nonces should be used on web pages for logged in users, not just a random “it has something to do with security so it has to be right” kind of measure ;). If you need to … Read more

Handling expired nonces

Nonces are not magic bullet that by simply applying it everywhere your site get more secure. Talking broadly, nonce should be applied only to logged in users, and serve little purpose when applied to non logged in. Even for logged in users, there might be situations in which nonces are just not needed (like when … Read more

Why am I getting a 403 from check_admin_referer()?

In the JS script, include the nonce in data, as in the following example: jQuery(document).ready(function($){ data = { action: ‘hello’, token: $( ‘#token’ ).val() } $(‘#stupid_form’).submit(function(){ $.post(ajaxurl, data, function(response){ $(‘#response’).html(response); }); return false; }); }); Additional Note <?php wp_nonce_field(‘hello’, ‘token’); ?> generates a hidden input with a markup similar to: <input type=”hidden” id=”token” name=”token” value=”d9e3867a0e” … Read more

my theme breaks WP export

The basic idea for debug here is that theme apparently influences something it totally should not. Either something is done in a wrong way or in a wrong place. Check that theme is not running any functionality directly in functions.php. Check that all of theme’s functionality runs on appropriate hooks. For hooks that are used … Read more

Nonce failing in IE

You should not use nonce for non logged in users. You should not use nonces in any full or partial page caching scenario. Unlike the impression given many times, just sprinkling nonce here and there with no specific reason do not improve the sites security, and may cause actual problems for non logged in users.

wp_verify_nonce() via REST always returns false

In line 3 of your form markup, you’re passing two arguments to wp_create_nonce when it only accepts one. It’s a simple typo. You’ll want to concatenate the string like so: wp_create_nonce( ‘edit_post-‘. $post->ID ) //dot instead of comma EDIT: I’d suggest you give the nonce field a more specific name than _wpnonce, as this is … Read more