Skip to main content
WP HealthKit

Nonce

A WordPress nonce is a one-time token used to verify that a request originated from the expected source, protecting against Cross-Site Request Forgery attacks.

How it works

Despite the name 'number used once', WordPress nonces are actually time-limited tokens (valid for 24 hours by default, with a 12-hour grace period). They're generated using wp_create_nonce() and verified with wp_verify_nonce() or check_ajax_referer(). Nonces are tied to the current user session and a specific action string, making them unique per user and per action.

In WordPress

Every WordPress form that modifies data should include wp_nonce_field(). Every AJAX handler should call check_ajax_referer(). REST API routes should use permission_callback with nonce verification via wp_rest::get_nonce().

Code example

// In form
wp_nonce_field('save_settings', '_wpnonce');

// In AJAX handler
check_ajax_referer('my_action', 'security');

// Manual verification
if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'save_settings')) {
    die('Unauthorized');
}

WP HealthKit checks for Nonce-related vulnerabilities automatically

Run a Free Audit
What Is a WordPress Nonce? CSRF Protection Explained | WP HealthKit