Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?

There is no security risk in a pluggable function: If someone installs a plugin that lowers the security it is his/her own fault. On the other hand, you can override the functions to make nonces more unique or to change their format.

In a custom function wp_verify_nonce() you could use an optional third parameter or change the time a nonce expires.

Nowadays pluggable functions aren’t introduced anymore. They are hard to debug, and you can do the same with filters usually. And then there’s as well the problem that you can’t ever be sure that no other plugin will redefine the pluggable function (again) after you redefined it.

Related Posts:

  1. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  2. Disable email notification after change of password
  3. I found this in a plugin. What does it do? is it dangerous?
  4. Disabled plugins are they security holes – rumor or reality?
  5. What could a hacker do with my wp-config.php
  6. How Can I Securely Implement a Password-less Login Feature?
  7. Security and .htaccess
  8. Are there procedures to prevent malicious plugin updates?
  9. Should we use plugins that aren’t available from the official WordPress site?
  10. How to check plugins for malicious code?
  11. How to properly secure my WordPress installation?
  12. Where should my plugin POST to?
  13. Security error WP 4.0 + WP phpBB Bridge [closed]
  14. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  15. Disabled plugins are security holes – rumor or reality?
  16. Should I use RIPS tool to test my themes and plugins?
  17. Prevent Brute Force Attack
  18. How many security plugins are too many? [closed]
  19. Upgrading WordPress 4.0 asks for FTP password
  20. How Restrict access to admin dashboard by specific static ip?
  21. When is it useful to use wp_verify_nonce
  22. Protecting against malicious code in WordPress plugin updates
  23. How to expire all wordpress user passwords instantly?
  24. How to limit WordPress pages during updates?
  25. rms_unique_wp_mu_pl_fl_nm.php
  26. Weird problems after recovery from security breach
  27. How can we deal with unmaintained plugins with vulnerabilities?
  28. Security issues with WP sites
  29. Escape when echoed
  30. Should you escape hardcoded URLs?
  31. Preventing BFA in WordPress without using a plugin
  32. Best way to modify a plugin with no hooks and no pluggable functions?
  33. How can I make uploaded images in the editor load with HTTPS?
  34. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  35. Call to undefined function get_userdata in user.php
  36. WordPress filter that hook after each action/filter hook
  37. WordPress Registration Email by Role
  38. How to delete Passwrd Protected posts cookies when a user logged out from the site
  39. The safest way to automate WordPress backups
  40. wp_create_nonce function doesn’t work inside a plugin?
  41. Overriding functions in wordpress plugins
  42. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  43. How to block plugin activations with no known user or coming from unknown IP address range?
  44. Nonce failing on form submission
  45. Check for security updates
  46. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  47. Why can’t I access my Intranet LDAPS with NADI?
  48. Malicious File Upload [closed]
  49. Stop Plugin Enumeration [closed]
  50. Hack-Proof OR Security in WordPress — is it real?
  51. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  52. Security and Must Use Plugins
  53. Is Timthumb still broken? What security measures should be taken?
  54. Prevent direct access to WordPress plugin assets?
  55. Is it safe to use admin-ajax.php in the frontend?
  56. How to protect WordPress from security scanner [closed]
  57. remove_action not removing add_action from constructor
  58. Specific way to allow WordPress users to view their current password? And edit it?
  59. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  60. How to prevent plugins from sniffing/stealing other plugins’ options?
  61. Editing wp-config.php
  62. Need to replace Currency Shortforms
  63. Custom API plugin to execute 3rd party API to retrieve data
  64. How to deal with Slow HTTP POST (slowloris) vulnerability
  65. Running multiple security plugins
  66. how do I secure my WP website from hackers? [closed]
  67. Override plugin class which has namespace
  68. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  69. How to add custom function to pluggable.php
  70. WP Insert Post If user refreshes override new post
  71. 404 errors when updating options in admin dashboard
  72. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  73. Hide plugins and theme from public
  74. WordPress search shows protected content
  75. Security of a WordPress Plugin
  76. Can I disable xml-rpc by setting it to false?
  77. RSS feeds for specific topics
  78. Help to Create a Simple Plugin to make a post
  79. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  80. prevent anonymous access to WordPress site (non-admin site)
  81. “Fire Secure” menu item
  82. Securing a plugin pop-up window
  83. https rewrite not working for All in one security Brute force > rename login url
  84. Redux framework somehow added to my site, can’t locate in plugins
  85. wp_verify_nonce fails always
  86. How can i see/log all requests coming from a registration form (not from the UI)?
  87. Site is continuously accessing by several IPs
  88. pluggable function in theme, to be overridden by plugin
  89. Validating values using Settings API?
  90. using .htaccess only for wordpress security no plugins
  91. Problem with permissions in wp-content/plugins
  92. overwrite a plugin function in functions.php
  93. My WP site and password was hacked, what to do? [closed]
  94. How to resolve these findings from security audit
  95. How I can hide my wp folders from Inspect Element (Developer Tools)
  96. How to Find WordPress site has backdoor login Codes
  97. How to delete Password Protected posts cookies when a user logged out from the site
  98. Stop the user if login from the cookies
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes

Leave a Comment

techhipbettruvabetnorabahisbahis forumutaraftarium24eduedusedueduseduedusedueduedusedus