Nonce
A WordPress nonce is a one-time token used to verify that a request originated from the expected source, protecting against Cross-Site Request Forgery attacks.
How it works
Despite the name 'number used once', WordPress nonces are actually time-limited tokens (valid for 24 hours by default, with a 12-hour grace period). They're generated using wp_create_nonce() and verified with wp_verify_nonce() or check_ajax_referer(). Nonces are tied to the current user session and a specific action string, making them unique per user and per action.
In WordPress
Every WordPress form that modifies data should include wp_nonce_field(). Every AJAX handler should call check_ajax_referer(). REST API routes should use permission_callback with nonce verification via wp_rest::get_nonce().
Code example
// In form
wp_nonce_field('save_settings', '_wpnonce');
// In AJAX handler
check_ajax_referer('my_action', 'security');
// Manual verification
if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'save_settings')) {
die('Unauthorized');
}
Related terms
WP HealthKit checks for Nonce-related vulnerabilities automatically
Run a Free Audit