wp_verify_nonce vs check_admin_referer

I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following:

Actually, if the nonce is valid the referrer should not be checked.
The unreliability of referrers is one of the reasons that nonces are
used. Nonces replace referrer checking entirely. The only time we
check the referrer is when handling the -1 backward compatibility
condition. -1 means that someone is not using nonces so we fall back
to referrer checking. This usage is now very rare.
check_admin_referer() is badly named now that it almost never does
referrer checking. It would be better named something like
check_nonce(), but we keep it as is for back compat and old times
sake.

So there is in fact there is no difference.

Related Posts:

  1. How does admin-ajax.php work?
  2. Securing Admin Accounts – Username Discovery
  3. Assuming a theme is properly secured, how save is the WordPress admin?
  4. Don’t attribute content to admin users
  5. WordPress ACL (folder + permissions)
  6. using rewrites to secure login page
  7. How to verify nonces in bulk?
  8. How do I diagnose a plugin resource 404?
  9. WordPress Brute Force Prevention
  10. Changing admin user id for database
  11. WordPress custom admin functions security
  12. Does deleting the table users prevent all logins?
  13. Why does my admin email address keep changing to something random?
  14. Where to store publicly-accessible files
  15. What are the standard admin CSS id/class tags?
  16. How to pass parameters to admin_notices?
  17. Admin: very slow edit page caused by core meta query
  18. This CSS Stuffing Works, But Is This A Good Practice?
  19. Load plugin scripts and styles only on plugin page
  20. WP List Table custom quick edit box – post meta data missing and columns change on submit
  21. Is there a more efficient admin search function/plugin?
  22. WordPress Admins or Roles per Page
  23. How to add filter in “Comments” at the admin panel?
  24. List All Post Types in Admin view using /wp-admin/edit.php?post_type=
  25. Customize Admin Users Screen based on Role
  26. Change post title during post saving process
  27. How to display only logged in user’s post comments in comments area
  28. WordPress 3.8 get current admin color scheme
  29. What filter/action hook can I use to add a few links to the admin comments page?
  30. Can you have the users list pre sorted by specific column?
  31. Different color admin bars for dev, staging and production
  32. WordPress manage users as non admin
  33. remove_action with profile_personal_options
  34. With WP 3.4 customizer, while using postMessage & working within your JS for one option, can you retrieve current value for another option?
  35. Refreshing collections in the admin media manager
  36. $user_id vs. is_user_logged_in()
  37. Conditionally load CSS/JS/PHP in wp-admin if using a mobile device
  38. Is there a way to hook into the update-core page for custom messages?
  39. WordPress How to begin editing from admin page (please see picture)
  40. WordPress as a web app – always auto-save post and meta data
  41. Determining whether it’s a AJAX call from front-end or from back-end
  42. Disable the “Skip to Toolbar” tabbing accessibility feature
  43. Super slow admin panel
  44. My WordPress Admin looks messed up when I edit posts or pages
  45. Save author posts as in pending review – block users updating their posts
  46. POMO_Reader->substr() call endless loop?
  47. jQuery UI AutoComplete & wp_enqueue_script
  48. Plugin admin panel JavaScript Broken
  49. Force Contributors to add Tags via edit-tags.php
  50. Edit Auto Update Admin Notification
  51. Unable to Access WP Admin or Login buttons after Migration
  52. Add custom button next to native “Apply” button in the edit-tag screen
  53. Enqueue and Dequeue from admin bar nodes
  54. How to enqueue admin content outside admincp
  55. admin_enqueue_scripts the same css file as wp_enqueue_style
  56. Where can I store common cross-site text (e.g. headings, titles etc.)
  57. get_current_screen and the WP_Screen class
  58. Is there alternative to WP_List_Table?
  59. How to modify admin headers
  60. Filter WooCommerce Orders
  61. How to disable Media Library uploads for non-Admin users?
  62. Page can’t hand request – HTTP ERROR 500 – when updating something
  63. How to change the User name and Password of admin account
  64. Redirect public site to another one but allow administrators to access the old site
  65. “sufficient permissions” error for admin after duplicating WP database to new install
  66. Posts in sidebar only by admin
  67. Display an image of selected template in admin to aid user when using complex templates
  68. How to remove the default checked attribute from inputs in admin?
  69. Passing state from child component to parent component in a Gutenberg Sidebar
  70. Admin user column sort by numeric meta key
  71. Shop in Subdomain feeding main domain order in admin area
  72. Can I retrieve Published changes when changes have been Saved but not Published in WordPress Semplice?
  73. Error 404 Display on otherlinks apart from homepage
  74. I can’t access login page
  75. Admin Access for specific page(s)
  76. Get Link of Page Selected through a Select Field in Custom Admin Page
  77. check_admin_referer not working in custom meta box for custom post type
  78. Sortable admin columns by 0.00 number
  79. WordPress Admin Thickbox: Remove Margins/Padding
  80. how to disable the e-mail verification on wp-admin/options-general.php multisite admin e-mail
  81. wp_verify_nonce fails always
  82. WordPress Admin Email
  83. conditionally update css on edit.php
  84. Simple CSS admin pagination
  85. Can I show the tag admin interface on a post when logged in as an admin?
  86. WordPress “Hide WP” Gives Me Error After Admin Login [closed]
  87. Editing post in admin panel
  88. Making a custom upload form and page in the admin section
  89. Customise the add media pop-up to include rel attribute option
  90. WordPress gallery image link gives 404 when not logged in
  91. Remove “minor-publishing” div from Publish admin metabox
  92. How to fix broken admin Thickbox?
  93. New User Notification – Setting Email
  94. Can’t access my wp admin: captcha images invisible, gives me error message
  95. Pull Random Images From Options Page [closed]
  96. You do not have permission to access this document on form submit
  97. Woo Commerce Settings for Check-out Form [closed]
  98. Add custom css class to wp-list-table row for custom post type
  99. Custom column with post ID not working in CPT
  100. Modify ‘the_content’ appearance in the admin area

Leave a Comment