WordPress custom admin functions security

Read about “Nonces”.

Create one and append it to your URL:

$url="example.php?filename=whatever&nonce=" . wp_create_nonce('my_sensitive_action');

When your request is fulfilled check for it:

// here verify if the nonce was used before
if(wp_verify_nonce($_GET['nonce'], 'my_sensitive_action')){
  // it's ok, it wasn't used before
}

Also the validity of these nonces has a time limit, like one day or so.
If the nonce is not used within this period, it will expire…

Related Posts:

  1. wp_verify_nonce vs check_admin_referer
  2. How does admin-ajax.php work?
  3. This CSS Stuffing Works, But Is This A Good Practice?
  4. Securing Admin Accounts – Username Discovery
  5. Settings API – easiest way of validating checkboxes?
  6. WordPress Admin back-end – advanced options page?
  7. How To View Site from Non-Logged-In User’s Perspective
  8. wp_dropdown_pages() in theme admin page
  9. Assuming a theme is properly secured, how save is the WordPress admin?
  10. Don’t attribute content to admin users
  11. How can I show the contents of only a few users
  12. Settings API not saving values to database
  13. WordPress ACL (folder + permissions)
  14. Admin option sidebar count
  15. using rewrites to secure login page
  16. Problem with Settings API: changes are not saved after submit
  17. Add Custom Script in Other Plugin’s Options page
  18. Accessing variable from admin panel?
  19. How can I POST or GET to the same admin page from which I am POST-ing or GET-ing
  20. How do I diagnose a plugin resource 404?
  21. WordPress Brute Force Prevention
  22. Changing admin user id for database
  23. Does deleting the table users prevent all logins?
  24. Show global Message in User Profiles with admin only Input field in WordPress Backend
  25. [Multisite]How can I update custom blog option?
  26. Call require_once form admin page with checkbox
  27. Why does my admin email address keep changing to something random?
  28. Where to store publicly-accessible files
  29. Get Link of Page Selected through a Select Field in Custom Admin Page
  30. My code for creating an admin option doesn’t work
  31. I don’t have permission to save the theme options I created myself?
  32. Pull Random Images From Options Page [closed]
  33. Woo Commerce Settings for Check-out Form [closed]
  34. Admin Ajax is returning 0
  35. Add a Separator to the Admin Menu?
  36. Adding a custom admin page
  37. Allowing admin-ajax.php to receive “application/json” instead of “x-www-form-urlencoded”
  38. Is it safe to store a user setting you don’t want the user to ever modify as a user option?
  39. Custom admin email for new user registration
  40. A similar hook as wp_head for the admin area
  41. Hide allow trackbacks/pingbacks
  42. Hide Admin menus per role in WordPress
  43. wordpress upload http error?
  44. How to find out if an wp-admin action edited a file?
  45. Text snippets shared across posts
  46. Add Admin User via SQL
  47. How to remove Gravatar from Username column
  48. Page only shows when user is logged in (even with visibility set to public)
  49. get_template_part in admin
  50. Why Jetpack is missing the “Feedbacks” menu item? [closed]
  51. Getting the different post statuses + count like in edit.php, in a custom submenu page
  52. How to set CORS header?
  53. Create a Meta Box in the Admin User Screen?
  54. Send email to Admin when user/member updates specific user/member data
  55. Help with shortcode in admin-ajax [closed]
  56. Protect custom php file with login
  57. Limit Words in Category / Term Description – Admin Panel
  58. Change top level menu item to point to custom submenu item
  59. Change admin logout URL
  60. Default admin color scheme as “blue”
  61. Can user #1 (the initial user) be deleted without ill effect?
  62. wp-admin post.php JavaScript Links Not Working
  63. Remove duplicate product link from WooCommerce Page Row Actions
  64. How to set default editor tab
  65. Make the Status, Visibility, or Date fields opened by default in the Publish box
  66. Options page – dropdown of users
  67. Force to use STRONG users password and implement rule to prevent REUSE [closed]
  68. WordPress Admin Login Redirect Problem
  69. 500 internal server error on wp-admin only
  70. Admin Top Bar Not Showing On Front End
  71. WordPress administration Over SSL – To Force SSL Logins and SSL Admin Access
  72. Only Admin can Edit, Delete or Update
  73. How to verify nonces in bulk?
  74. Getting admin notices to appear after page refresh
  75. Hide post title input for all roles except admin
  76. How to activate the dashboard
  77. /wp-admin/install.php redirecting to 123-reg
  78. How to prevent plugins from sniffing/stealing other plugins’ options?
  79. Home page is redirecting to another page – no obvious reason
  80. Backend Checkboxes working – but not visual?
  81. Redirect admin 403 “Cheatin uh?” admin pages
  82. iframe with Youtube video appears for logged-in users, but not for incognito users
  83. Admin mode breaks with subdomains in latest WP
  84. How do I create a post_id column, for admin posts list?
  85. Custom Jquery in admin breaks media-upload script
  86. How should I change the username of or delete the admin user?
  87. Extending the user profile [closed]
  88. Show private pages in public when you logged in as admin?
  89. Any known plugins for master admin login to edit all on front end?
  90. How to exclude some post from admin edit screen
  91. How to show WordPress admin dashboard forms on front-end?
  92. Allow custom REST route to return before doing long operation
  93. Cannot access wp-admin after installing SSL – user capabilities not being set
  94. Show only content in page after action click in WordPress admin
  95. Display Graphs in Admin Pages
  96. Dropdown list of available posts for post editing
  97. Unsure how to add simple checkboxes that write to a small table to admin
  98. Custom styles and scripts for specific admin screen
  99. Is it possible to get rid of admin new updates notifications?
  100. What Role to assign remote site developer?
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)