Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?

There is no security risk in a pluggable function: If someone installs a plugin that lowers the security it is his/her own fault. On the other hand, you can override the functions to make nonces more unique or to change their format.

In a custom function wp_verify_nonce() you could use an optional third parameter or change the time a nonce expires.

Nowadays pluggable functions aren’t introduced anymore. They are hard to debug, and you can do the same with filters usually. And then there’s as well the problem that you can’t ever be sure that no other plugin will redefine the pluggable function (again) after you redefined it.

Related Posts:

  1. Best collection of code for your 'functions.php' file [closed]
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. Disable email notification after change of password
  5. Are WordPress Plugins essential?
  6. I found this in a plugin. What does it do? is it dangerous?
  7. What are the common security flaws I need to look for? [closed]
  8. Disabled plugins are they security holes – rumor or reality?
  9. How do I call wp_get_current_user() in a plugin when plugins are loaded before pluggable.php?
  10. What could a hacker do with my wp-config.php
  11. How Can I Securely Implement a Password-less Login Feature?
  12. Security and .htaccess
  13. Why “Contact Form 7” doesn’t update PHPmailer library?
  14. Are there procedures to prevent malicious plugin updates?
  15. Secure WordPress paid plugin
  16. How to make media upload private? [duplicate]
  17. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  18. What does a security risk in a plugin look like?
  19. why plugins are loaded prior to pluggables
  20. WordPress Capabilities: edit_user vs edit_users
  21. Should we use plugins that aren’t available from the official WordPress site?
  22. How to check plugins for malicious code?
  23. How to properly secure my WordPress installation?
  24. Editor access to plugin settings
  25. Where should my plugin POST to?
  26. Security error WP 4.0 + WP phpBB Bridge [closed]
  27. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  28. Disabled plugins are security holes – rumor or reality?
  29. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  30. Should I use RIPS tool to test my themes and plugins?
  31. Prevent Brute Force Attack
  32. Why users disable the WordPress update?
  33. How many security plugins are too many? [closed]
  34. Will WordPress username displayed somewhere in the site?
  35. Upgrading WordPress 4.0 asks for FTP password
  36. Overriding a function in wordpress
  37. Is revealing just the AUTH_KEY a security issue?
  38. How Restrict access to admin dashboard by specific static ip?
  39. When is it useful to use wp_verify_nonce
  40. Protecting against malicious code in WordPress plugin updates
  41. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  42. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  43. How to expire all wordpress user passwords instantly?
  44. How to limit WordPress pages during updates?
  45. rms_unique_wp_mu_pl_fl_nm.php
  46. Current user in plugin returns NULL
  47. Weird problems after recovery from security breach
  48. How can we deal with unmaintained plugins with vulnerabilities?
  49. Security issues with WP sites
  50. Security checking in meta_box save is reluctant?
  51. Escape when echoed
  52. Should you escape hardcoded URLs?
  53. Preventing BFA in WordPress without using a plugin
  54. Best way to modify a plugin with no hooks and no pluggable functions?
  55. How can I make uploaded images in the editor load with HTTPS?
  56. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  57. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  58. Call to undefined function get_userdata in user.php
  59. WordPress filter that hook after each action/filter hook
  60. WordPress Registration Email by Role
  61. How to delete Passwrd Protected posts cookies when a user logged out from the site
  62. The safest way to automate WordPress backups
  63. wp_create_nonce function doesn’t work inside a plugin?
  64. Overriding functions in wordpress plugins
  65. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  66. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  67. Headers Content-Security-Policy CSP Major Issue
  68. How to block plugin activations with no known user or coming from unknown IP address range?
  69. Nonce failing on form submission
  70. Check for security updates
  71. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  72. Why can’t I access my Intranet LDAPS with NADI?
  73. Malicious File Upload [closed]
  74. Stop Plugin Enumeration [closed]
  75. Malware installation during plugin update?
  76. Hack-Proof OR Security in WordPress — is it real?
  77. I should enable automatic updates?
  78. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  79. Security and Must Use Plugins
  80. Is Timthumb still broken? What security measures should be taken?
  81. Prevent direct access to WordPress plugin assets?
  82. Is it safe to use admin-ajax.php in the frontend?
  83. How to protect WordPress from security scanner [closed]
  84. remove_action not removing add_action from constructor
  85. How to execute init or woocommerce_init only for checkout page
  86. How to resolve these findings from security audit
  87. How I can hide my wp folders from Inspect Element (Developer Tools)
  88. How to Find WordPress site has backdoor login Codes
  89. How to delete Password Protected posts cookies when a user logged out from the site
  90. How to rename files during upload to a random string?
  91. Stop the user if login from the cookies
  92. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  93. Block Root REST API Route using custom &/or iThemes
  94. Is it a good idea to restrict the REST API
  95. WordPress.Security.NonceVerification.Recommended
  96. Secure way to add JS Script to WordPress filesystem
  97. Bullet proofing a server with 150 WP insallations
  98. Code Snippets security when selecting “only run on front end”
  99. What is the best way to override functions of thirdparty plugins?
  100. How to verify/test that a custom built wordpress theme is as secure as possible?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)