WordPress - Security

Just some basic ideas to keep hackers out of your site.

All data entry forms, widgets, and the like should use nonce to verify that the actual form was used to enter the data ... and not just some random hacker trying to break your site.


nonce - number used only once
Despite what the name says, a given nonce changes every 12 hours and is good for 24 hours

A nonce is a hash of the current time, user ID, and a string associated with some part of an application. The purpose is to reduce the probability of someone accessing your site and pretending to be someone else.

As usual, the online help is adequate, but not complete. This is the function definition (from functions.php) showing the available parameters. I suggest supplying a unique $name.

This code (in your form or widget template) produces the following html (line feed added for readability)

Validating the nonce is a bit tricky - be sure you have created it one edit cycle before you check it. (If you don't, you will get server error 500. As you can see in the function prototype (definition), $query_arg must be set to the same value as $name when the nonce was created (which is why the name must be unique).

Though the help suggest that plugins should use nonce, it is not clear why ... because ... the main post page already provides and is (presumably) already checking it. On the other hand, if you are creating your own page templates, then security is your responsibility.

On the other hand, it is possible for someone to try and hack a site by directly calling some php file (ie, without going through the normal post page). Therefore, it is still a good idea for each plugin to provide nonce security in addition to what WordPress already provides.


WordPress 2.0.3: Nonces - very good, but it does not mention the name parameter.

Author: Robert Clemenzi
URL: http:// mc-computing.com / ISPs / WordPress / Security.html