WordPress Ajax Data Security

There are a few things you can do to make more secure:

First the Ajax call it self should be made with a WordPress nonce like you said:

<script type="text/javascript" >
    jQuery(document).ready(function($) {
        var data = {
            action: 'ACTION_NAME',
            Whatever_data: 1234,
            _ajax_nonce: <?php echo wp_create_nonce( 'my_ajax_nonce' ); ?>
        };
        $.post(ajaxurl, data, function(response) {
            alert('Got this from the server: ' + response);
        });
    });
</script>

In the above code mind the two attributes action and _ajax_nonce which both are needed to verify the call to admin-ajax.php, in the first few lines of code it check if an action was sent to the server and if not then it die()‘s (FIRST CHECK) then using that action you with an action hook you call your own ajax function:

//if you want only logged in users to access this function use this hook
add_action('wp_ajax_ACTION_NAME', 'my_AJAX_processing_function');

//if you want none logged in users to access this function use this hook
add_action('wp_ajax_nopriv_ACTION_NAME', 'my_AJAX_processing_function');

and if you want both logged in users and none logged in visitors to access this function the use both hooks (SECOND CHECK).

then in you ajax function the first thing you should do is check for the ajax referrer (THIRD CHECK):

function my_AJAX_processing_function(){
   check_ajax_referer('my_ajax_nonce');
   //do stuff here
}

next when running queries on database with user input you should use $wpdb->prepare for escaping and validation so instead of:

$query = "SELECT `id` FROM table WHERE `user_id` = $myid;";
$data = $wpdb->get_col( $query )

use:

$data = $wpdb->query( $wpdb->prepare("SELECT `id` FROM table WHERE `user_id` = %d",$myid));

Related Posts:

  1. Nonces and Cache
  2. Is it safe to assume that a nonce may be validated more than once?
  3. Multiple ajax nonce requests
  4. Nonces, AJAX, script variables & security in WordPress
  5. How do I check if AJAX nonces are implemented correctly?
  6. Is it safe to manually sign a user in using AJAX?
  7. WP Admin AJAX Security – using POST to include a relative URL
  8. ajax nonce verification failing
  9. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  10. Is it secure to use admin-ajax.php in front?
  11. Why does check_ajax_referer give a 403 error on https websites?
  12. Using nonce when loading posts with AJAX
  13. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  14. Custom RPC end-point security best pratice?
  15. Should wordpress nonce be placed in html form or in javascript file
  16. How to prevent my external API call from being called by anyone but me (my site)
  17. check_ajax_reffer not working when logged
  18. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  19. Ajax Security regarding user priviliges and nonces
  20. Can I make an ajax response cross-domain?
  21. ASP.NET MVC controller actions that return JSON or partial html
  22. How does admin-ajax.php work?
  23. Ajax in a settings page (update_option is undefined)
  24. redirect out of wp-admin, without losing admin-ajax.php
  25. Ajax request returning full page code
  26. WordPress embeds in AJAX inserted content
  27. How do I send an ajax request and get a response back from a function?
  28. How-to debug wp_ajax_* hook callback?
  29. AJAX Implementation
  30. how to use ajax in plugin admin area?
  31. Load page content with AJAX using Fancybox?
  32. Dynamically changing navigation links (next and previous) via AJAX
  33. jQuery UI Autocomplete showing all results
  34. AJAX action not triggering PHP function
  35. Ajaxing in functions.php
  36. add_action and Ajax
  37. Enqueue script dinamically
  38. Most performant way of fetching remote API data?
  39. Admin-ajax responds with 0 due to empty $_REQUEST
  40. Help with AJAX front end comment moderation
  41. wp_ajax_nopriv_xxx is not firing on one site, works on all others. -1 for logged out users
  42. Ajax Modal Flickers When Opened Multiple Times
  43. Increased CPU load due to admin-ajax.php spam
  44. Ajax image upload with media_handle_upload and form.js
  45. Can’t get result from sql using ajax result
  46. Theme Customizer – Conditional Controls
  47. Caching-Plugins and Ajax-Page-Parts
  48. Ajax loading duplicate post
  49. WordPress AJAX – how to return true or false in the callback function
  50. WordPress Ajax POST Error 403 admin-ajax.php
  51. How do I detect in which page ajax_query_attachments_args is loaded?
  52. Ajax post returning full html page as response
  53. Which allowed API hooks work to add wp_ajax action?
  54. Pass additional parameter with async upload
  55. Ajax store response json in variables
  56. Performance optimization of tree like structure
  57. WordPress search results with Ajax, get_post_type() not working
  58. Variable Products Being Added to Cart with AJAX on Shop and Category Pages
  59. Audio TAG Not using MediaElement When Page is loaded through ajax
  60. Best way to use ajax front-end?
  61. Ajax calls from the theme directory
  62. How to pass parameters from jQuery ajax into PHP function?
  63. How to add ajax url to js using wp_add_inline_script()?
  64. merge wp rest api query to get posts per category does not work
  65. use jQuery.load() to include a php file in a div, wp_query() is part of php file
  66. Load more posts in the same category – Ajax + Timber
  67. Redirect after saving form; and yet use wp_die()
  68. ajaxt returning object object [closed]
  69. Load more posts (Ajax) in tabbed sidebar on single.php
  70. Something strange with ajax
  71. admin-ajax.php returns 0 even when the post status code is 200 OK
  72. Why is the file not uploading to the server?
  73. Get localize of a loaded javascript
  74. Merge PDF files from post custom fields(ACF) into one PDF file and respond back the created PDF file, WordPress(AJAX Request)
  75. REST public POST giving 403 forbidden nginx
  76. Query data after an Ajax insert
  77. Is there a public ajax endpoint?
  78. Why Ajax Doesn’t Work?
  79. How can i do public ajax call?
  80. How to prevent multiple post with same meta value being created simultaneously in WordPress (with ajax)
  81. Content including hooks inside wp-settings.php are being called twice in WordPress
  82. Problem when sending file via ajax
  83. Can’t GET Variable from AJAX URL
  84. JS global variable doesn’t update
  85. 404 error custom post type rest api
  86. How to update cart total after AJAX success
  87. Change button text after ajax db update
  88. Jquery wrap permalink in a data-attribute?
  89. Load .php file into div using ajax
  90. Native WordPress Video Shortcode Not Working After Post is Loaded via Ajax
  91. AJAX Post from same domain to a wordpress page
  92. Using AJAX for dynamic settings pages
  93. Speeding up admin-ajax.php
  94. admin ajax is not working for non logged in users
  95. AJAX admin Internal 500 error Failed to Upload
  96. Class property not visible inside ajax callback function?
  97. $wpdb Ajax not redirecting to main page
  98. how reduce fetch/XHR response time
  99. wordpress ajax bad request 400
  100. Custom WP rest api endpoint only working on non https?

Leave a Comment