Learn how to implement nonces in your WordPress plugins to provide robust CSRF protection, ensuring that every form submission is intentional and authorized.
Previously in this course, we explored validating settings to ensure the data reaching your database is clean. While sanitization protects against malicious payloads, it doesn't prevent an attacker from tricking an authenticated user into submitting a form they didn't intend to. This lesson introduces nonces, the primary mechanism for security and CSRF (Cross-Site Request Forgery) protection in WordPress.
A "nonce" stands for "number used once." In the context of WordPress, it is a unique, time-sensitive token used to verify that a request is coming from a trusted source—your site's own interface—rather than a malicious third party.
Without a nonce, an attacker could create a hidden form on their own website that, when visited by an unsuspecting logged-in administrator, performs an action on your plugin (like deleting data) because the browser automatically sends the admin's session cookies. By requiring a nonce, you ensure that the request is tied to a specific action, a specific user, and a specific timeframe.
The WordPress API makes implementing these tokens straightforward. You need two parts: the generator (to put the token in your form) and the verifier (to check the token when the form is submitted).
To include a nonce in your HTML form, use wp_nonce_field(). This function outputs a hidden input field containing the token.
PHP#6A9955">// Inside your view file(e.g., admin-form.php) <form method="post" action="options.php"> <?php wp_nonce_field('my_plugin_save_action', 'my_plugin_nonce_field'); ?> <!-- Your form fields here --> <input type="submit" value="Save Changes"> </form>
The first argument is the "action" name (a string used to identify this specific operation), and the second is the name of the hidden input field.
When the form is posted, you must verify the token before processing any data. Use check_admin_referer() if you are inside the WordPress admin or wp_verify_nonce() for more manual control.
PHP#6A9955">// Inside your controller or save method public function handle_form_submission() { #6A9955">// Verify the nonce field exists and matches our action if (!isset($_POST['my_plugin_nonce_field']) || !wp_verify_nonce($_POST['my_plugin_nonce_field'], 'my_plugin_save_action')) { wp_die('Security check failed: Invalid nonce.'); } #6A9955">// Proceed with saving data... }
In our ongoing project, we need to secure the meta-box save process we discussed in saving meta data.
wp_nonce_field('save_kb_article', 'kb_article_nonce').save_post callback, add a check using wp_verify_nonce() before you call update_post_meta().current_user_can() to ensure the user has the right to perform the action.POST requests. WordPress Nonces: How to Secure Forms and AJAX Requests provides a deep dive into handling these asynchronous tokens.Nonces are your first line of authentication defense against CSRF. By generating a hidden token with wp_nonce_field() and validating it with wp_verify_nonce(), you ensure that only legitimate, user-initiated requests are processed by your plugin. Always pair these checks with proper capability verification to maintain a hardened admin environment.
Up next: Capability Checks — Controlling who can access your plugin's functionality.
Master the WordPress event-driven architecture. Learn the difference between actions and filters and how to implement callbacks to build robust plugins.
Implementing Nonces
Plugin Security Best Practices
Composer for Dependencies
Theme Integration Hooks
Managing Assets with Gulp/Webpack
Documentation Standards
Plugin Deployment Strategy
Advanced MVC: Dependency Injection
Handling Large Datasets
Error Handling and Logging