Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?

There is no security risk in a pluggable function: If someone installs a plugin that lowers the security it is his/her own fault. On the other hand, you can override the functions to make nonces more unique or to change their format.

In a custom function wp_verify_nonce() you could use an optional third parameter or change the time a nonce expires.

Nowadays pluggable functions aren’t introduced anymore. They are hard to debug, and you can do the same with filters usually. And then there’s as well the problem that you can’t ever be sure that no other plugin will redefine the pluggable function (again) after you redefined it.

Related Posts:

  1. Best collection of code for your 'functions.php' file [closed]
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. Are WordPress Plugins essential?
  5. I found this in a plugin. What does it do? is it dangerous?
  6. What are the common security flaws I need to look for? [closed]
  7. How do I call wp_get_current_user() in a plugin when plugins are loaded before pluggable.php?
  8. What could a hacker do with my wp-config.php
  9. Why “Contact Form 7” doesn’t update PHPmailer library?
  10. Secure WordPress paid plugin
  11. How to make media upload private? [duplicate]
  12. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  13. What does a security risk in a plugin look like?
  14. why plugins are loaded prior to pluggables
  15. WordPress Capabilities: edit_user vs edit_users
  16. How to check plugins for malicious code?
  17. How to properly secure my WordPress installation?
  18. Editor access to plugin settings
  19. Where should my plugin POST to?
  20. Security error WP 4.0 + WP phpBB Bridge [closed]
  21. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  22. Should I use RIPS tool to test my themes and plugins?
  23. Why users disable the WordPress update?
  24. How many security plugins are too many? [closed]
  25. Will WordPress username displayed somewhere in the site?
  26. Upgrading WordPress 4.0 asks for FTP password
  27. Overriding a function in wordpress
  28. Is revealing just the AUTH_KEY a security issue?
  29. How Restrict access to admin dashboard by specific static ip?
  30. Protecting against malicious code in WordPress plugin updates
  31. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  32. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  33. How to expire all wordpress user passwords instantly?
  34. How to limit WordPress pages during updates?
  35. rms_unique_wp_mu_pl_fl_nm.php
  36. Current user in plugin returns NULL
  37. Security issues with WP sites
  38. Security checking in meta_box save is reluctant?
  39. Should you escape hardcoded URLs?
  40. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  41. Call to undefined function get_userdata in user.php
  42. How to delete Passwrd Protected posts cookies when a user logged out from the site
  43. The safest way to automate WordPress backups
  44. wp_create_nonce function doesn’t work inside a plugin?
  45. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  46. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  47. Headers Content-Security-Policy CSP Major Issue
  48. How to block plugin activations with no known user or coming from unknown IP address range?
  49. Nonce failing on form submission
  50. Check for security updates
  51. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  52. Malicious File Upload [closed]
  53. Malware installation during plugin update?
  54. Hack-Proof OR Security in WordPress — is it real?
  55. Security and Must Use Plugins
  56. Is Timthumb still broken? What security measures should be taken?
  57. Is it safe to use admin-ajax.php in the frontend?
  58. How to protect WordPress from security scanner [closed]
  59. Specific way to allow WordPress users to view their current password? And edit it?
  60. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  61. How to prevent plugins from sniffing/stealing other plugins’ options?
  62. Editing wp-config.php
  63. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  64. Need to replace Currency Shortforms
  65. How to deal with Slow HTTP POST (slowloris) vulnerability
  66. Running multiple security plugins
  67. Override plugin class which has namespace
  68. How do I determine if the user who registered is not spam?
  69. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  70. WP Insert Post If user refreshes override new post
  71. 404 errors when updating options in admin dashboard
  72. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  73. WordPress search shows protected content
  74. Can I disable xml-rpc by setting it to false?
  75. RSS feeds for specific topics
  76. How can I disable new plugin and theme install, but allow updates?
  77. Help to Create a Simple Plugin to make a post
  78. Validating ajax search
  79. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  80. WordPress disable direct access of files in WordPress installation path
  81. Asking help regarding potential malware
  82. “Fire Secure” menu item
  83. https rewrite not working for All in one security Brute force > rename login url
  84. Redux framework somehow added to my site, can’t locate in plugins
  85. Being hacked. Is there a list of WordPress security holes I can check against?
  86. wp_verify_nonce fails always
  87. Validating values using Settings API?
  88. using .htaccess only for wordpress security no plugins
  89. Problem with permissions in wp-content/plugins
  90. overwrite a plugin function in functions.php
  91. My WP site and password was hacked, what to do? [closed]
  92. How to resolve these findings from security audit
  93. How I can hide my wp folders from Inspect Element (Developer Tools)
  94. How to Find WordPress site has backdoor login Codes
  95. How to delete Password Protected posts cookies when a user logged out from the site
  96. How to rename files during upload to a random string?
  97. Stop the user if login from the cookies
  98. Is it a good idea to restrict the REST API
  99. WordPress.Security.NonceVerification.Recommended
  100. How to verify/test that a custom built wordpress theme is as secure as possible?

Leave a Comment