wp_verify_nonce return false despite correct parameter passed

the wp_verify_nonce() keep returning false

If you were logged-in to your (WordPress) site when you used the form, then the above is normal. Here’s why so:

  • Your form submits to a custom REST API endpoint (at /wp-json/ilms_plugin/new_membership) and the default authentication method used by the REST API is cookie-based, i.e. it checks if a nonce with the action named wp_rest is set and that it’s valid (not yet expired), and if not (not set or it’s invalid/expired), then WordPress sets the current user to 0 which affects all nonce-related functions including but not limited to wp_verify_nonce().

  • In simple words, it means functions like wp_verify_nonce() will return false because nonces are based on the current user, so if the user is logged-in to your site (when filling in the form), but not the REST API (when the form submission/data is processed), then wp_verify_nonce() will return false because the user ID becomes 0 in the REST API.

Check out the REST API handbook for more details about the authentication: https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

How to fix the issue

Just add wp_nonce_field( 'wp_rest', '_wpnonce', false ); somewhere in your form, e.g. right after the opening <form> tag: (Note that I escaped the URL using esc_url())

<form action="<?php echo esc_url( get_rest_url( null, 'ilms_plugin/new_membership' ) ); ?>" ...>
    <?php wp_nonce_field( 'wp_rest', '_wpnonce', false ); ?>
    ...

Additional Notes

  1. Instead of get_rest_url( null, 'ilms_plugin/new_membership' ), you could use rest_url( 'ilms_plugin/new_membership' ) which uses rest_url() and is shorter.. 🙂

  2. Instead of using $wpdb->query(), I would use $wpdb->insert() to insert the data to the database.

  3. A REST API endpoint should always set a permission_callback and you should also use the args argument to define the parameters for the endpoint like the test_nonce in your case. Nonetheless, refer to Adding Custom Endpoints in the REST API handbook for further details.

Related Posts:

  1. How does nonce verification work?
  2. How to expire a nonce?
  3. Fatal error: Call to undefined function wp_create_nonce()
  4. How to add/retrieve the post trash link?
  5. Using nonce external of WP Admin
  6. Nonce best practices: hidden input vs. wp_localize_script?
  7. “The link you followed has expired” when previewing a post
  8. wp_verify_nonce keeps failing
  9. Handling nonce generation in AJAX registration process
  10. increase nonce lifespan
  11. wp_verify_nonce() via REST always returns false
  12. Nonce failing in IE
  13. my theme breaks WP export
  14. Why am I getting a 403 from check_admin_referer()?
  15. x-wp-nonce across domains
  16. wp_create_nonce doesn’t verify when using WP_List_Table
  17. Handling expired nonces
  18. What is really “wp_nonce_field” and how does it work? [duplicate]
  19. Cannot verify nonce
  20. WordPress JSON API nonces and Vue development server
  21. Verify a nonce in Form submission
  22. phpcs error in WordPress
  23. Stop WordPress nonces expiring
  24. Several nonces?
  25. Nonce for Trashing Item
  26. Nonce keeps failing
  27. Public posts – preventing duplicate form submissions
  28. How to obtain “wp_rest” nonce for WP Statistics plugin manually?
  29. WordPress “nonce” message
  30. CSP nonces with Cloudflare Workers
  31. Why are nonces working in Firefox but not in Chrome?
  32. wp_verfy_nonce keeps giving false
  33. Nonce – reissue with ajax poll
  34. wp_nonce_url generating invalid links
  35. How to insert wp_nonce field within echoed string
  36. Nonce check causing issues when creating new post
  37. Weird nonce validation problem
  38. Logout button in menu without “wp” in links
  39. Check nonce in the new bulk_edit_posts action
  40. nonce de sécurité invalide
  41. wp_verify_nonce vs check_admin_referer
  42. Do I need a nonce field for every meta box I add to my custom post type admin?
  43. Can I use the same nonce for multiple requests on the same page?
  44. How to get a unique nonce for each Ajax request?
  45. Nonce retrieved from the REST API is invalid and different from nonce generated in wp_localize_script
  46. Are Nonces Useless?
  47. How to use nonce with front end submission form?
  48. Extend WordPress (4.x) session and nonce
  49. Nonces can be reused multiple times? Bug / Security issue?
  50. How do WordPress Nonces Work?
  51. Nonces and Cache
  52. How do I create a user using the new JSON api in 4.7?
  53. AJAX nonce with check_ajax_referer()
  54. Verify nonce in REST API?
  55. Is wp_nonce_field vulnerable if you know the action name?
  56. Using nonce in menu item
  57. Is it safe to assume that a nonce may be validated more than once?
  58. Multiple ajax nonce requests
  59. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  60. Do I require the use of nonce?
  61. Getting “The link you followed has expired” when adding custom post [closed]
  62. Should nonce be sanitized?
  63. Nonce in settings API with tabbed navigation
  64. Using Nonces for AJAX that only retrieves data
  65. WordPress REST API call generates nonce twice on every call
  66. WordPress “Link has expired” error on updating posts
  67. How to verify nonce from Bulk/Quick Edit in save_post?
  68. Handling nonces for actions from guests to logged-in users
  69. How to add WordPress nonces to ajax request
  70. Can I verify nonce which was generated on a different WP site?
  71. WordPress failure when logging out
  72. Reduce nonce lifespan
  73. Security – Ajax and Nonce use [closed]
  74. Headless WordPress: How to authenticate front end requests?
  75. Nonces and Ajax request to REST API and verification
  76. How to stop _wpnonce and _wp_http_referer from appearing in URL
  77. Ajax function returns -1
  78. Undefined index: at_nonce in custom post metabox
  79. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  80. “Notice: Undefined index:” error when adding new content?
  81. WP REST API: check if user is logged in
  82. Custom Meta Boxes – Nonce Issue – Move to trash issue
  83. Security around save_post hook
  84. wp_verify_nonce always returns false when logged in as admin
  85. how to get nonce using json api
  86. ajax and nonce when JavaScript is in a seperate file
  87. Confusion on WP Nonce usage in my Plugin
  88. Properly applying nonce to a form using AJAX
  89. When is it useful to use wp_verify_nonce
  90. WordPress password reset – why post rp_key?
  91. wp_verify_nonce doesn’t return true on server when it matches the nonce
  92. How to save multiple metaboxes?
  93. Can’t GET draft posts via REST API from headless frontend
  94. Rest API invalid nonce with Backbone Client
  95. Nonce actions and names available via open source
  96. AJAX requests broken due to HTTPS for wp-admin
  97. Nonces, AJAX, script variables & security in WordPress
  98. Full page NGINX (or Cloudflare) caching and WordPress nonces
  99. Why does WordPress Heartbeat login not refresh the nonces?
  100. How to get the wpnonce value?
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)