In line 3 of your form markup, you’re passing two arguments to wp_create_nonce when it only accepts one. It’s a simple typo. You’ll want to concatenate the string like so: wp_create_nonce( ‘edit_post-‘. $post->ID ) //dot instead of comma EDIT: I’d suggest you give the nonce field a more specific name than _wpnonce, as this is … Read more
Yes Not really, but you can verify your change by login to admin and go to your profile. Wait 18 hours and try to submit. It should fail. The longer the nonce expiration time is the longer an attacker might be able to trick you into performing unintended operation (but there is actually very slim … Read more
If anybody is strangling with it, the proper solution is to use both wp_set_auth_cookie specifying the second parameter being the logged_in cookie, which now gives me the following code: wp_set_current_user($user_id); if ( wp_validate_auth_cookie( ”, ‘logged_in’ ) != $user_id ) { wp_set_auth_cookie( $user_id ); } And to add an action, as suggested in this thread: Extend … Read more
You are not inserting the nonce field in your form, so your script won’t recieve the nonce field and this code: if ( !isset($_POST[‘nonce_name’])) Will be validated becasue $_POST[‘nonce_name’] is not set. In your code, remove this line: <input type=”hidden” value=””.wp_nonce_field(“nonce_action’,’nonce_name’).”‘/> And, where it said //TODO: set nonce, you need to include: $out .= wp_nonce_field( … Read more
I get it a few time on my Hostnoc hosting, it happens when you have something running at the back of your WordPress (i.e. cron job or schedule backup up etc), this happens when you put a lot of usage on the server. Make sure you save each and everything before pressing publish. Furthermore, changed … Read more
Depends, will the form work with AJAX turned off? If so use an input and degrade gracefully. Otherwise, define nonces used by JS using JS for consistency, and to prevent grabbing stuff from the DOM
Nonces are not tied to the admin interface. This codex page explains them very well. Essentially, you add : <?php wp_nonce_field(‘name_of_my_action’, ‘name_of_nonce_field’); ?> in your form (this creates a hidden input field containing an one-time-use token). And where you’re doing the form processing you just check if the nonce is correct if(!wp_verify_nonce($_POST[‘name_of_nonce_field’], ‘name_of_my_action’)){ // no … Read more
Just use get_delete_post_link( $post_ID ) – it’ll return the absolute URL with nonce and all! Just to be clear, this will get the link to trash posts (if trash supported). If you want to skip trash & get the perma-delete link, pass a second argument of true*. http://codex.wordpress.org/Function_Reference/get_delete_post_link Update: Having checked the source, it seems … Read more
More context would be helpful. Is that all the code found in your plugin or functions file directly? Or are you hooking in to something via add_action. Anyway, what’s probably wrong is that you’re calling wp_localize_script and wp_enqueue_script outside of an action. wp_create_nonce, or, rather, the file in which it resides, has yet to be … Read more
The problem with expiring a nonce is that in WordPress, nonces aren’t nonces in the purest sense of the term: “number used once.” Rather, a WP nonce is a (substring of a) hash of a string involving a time signature at the moment it was generated, among other things: user ID, the action name and … Read more