CSRF
Cross-Site Request Forgery (CSRF) is an attack that tricks a user's browser into making an unwanted request to a web application where they're authenticated.
How it works
In a CSRF attack, a malicious website crafts a request that performs an action on another site where the victim is logged in. Because browsers automatically send cookies with every request, the target application can't distinguish between a legitimate request and a forged one. In WordPress, this is particularly dangerous for admin actions — if an admin visits a malicious page, it could trigger plugin settings changes, user deletions, or data modifications without their knowledge.
In WordPress
WordPress uses nonces (numbers used once) as the primary defense against CSRF. Every form submission and AJAX request should include a nonce that's verified server-side using wp_verify_nonce() or check_ajax_referer(). The nonce is tied to the current user session, so a forged request from another site won't have a valid nonce.
Code example
// Generating a nonce in a form
wp_nonce_field('my_plugin_action', 'my_nonce');
// Verifying in the handler
if (!wp_verify_nonce($_POST['my_nonce'], 'my_plugin_action')) {
wp_die('Security check failed');
}
Related terms
WP HealthKit checks for CSRF-related vulnerabilities automatically
Run a Free Audit