WordPress - Security

Just some basic ideas to keep hackers out of your site.

All data entry forms, widgets, and the like should use nonce to verify that the actual form was used to enter the data ... and not just some random hacker trying to break your site.

nonce

nonce - number used only once
Despite what the name says, a given nonce changes every 12 hours and is good for 24 hours

A nonce is a hash of the current time, user ID, and a string associated with some part of an application. The purpose is to reduce the probability of someone accessing your site and pretending to be someone else.

As usual, the online help is adequate, but not complete. This is the function definition (from functions.php) showing the available parameters. I suggest supplying a unique $name.

function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true )

This code (in your form or widget template)

  if ( function_exists('wp_nonce_field') )
    wp_nonce_field('lib-events-add_event', 'lib-events_nonce');
  echo "\n<! end of wp_nonce_field >\n";

produces the following html (line feed added for readability)

<input type="hidden" id="lib-events_nonce" name="lib-events_nonce" value="2453635ba4" />
<input type="hidden" name="_wp_http_referer" value="/graphics-lib/wp-admin/post.php?action=edit&post=185&message=1" />
<! end of wp_nonce_field >

Validating the nonce is a bit tricky - be sure you have created it one edit cycle before you check it. (If you don't, you will get server error 500. As you can see in the function prototype (definition), $query_arg must be set to the same value as $name when the nonce was created (which is why the name must be unique).

function check_admin_referer($action = -1, $query_arg = '_wpnonce')

check_admin_referer('lib-events-add_event', 'lib-events_nonce');

Though the help suggest that plugins should use nonce, it is not clear why ... because ... the main post page already provides

<form name="post" action="post.php" method="post" id="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="ed48249d7f" />
<input type="hidden" name="_wp_http_referer" value="/graphics-lib/wp-admin/post.php?action=edit&post=185&message=1" />

and is (presumably) already checking it. On the other hand, if you are creating your own page templates, then security is your responsibility.

On the other hand, it is possible for someone to try and hack a site by directly calling some php file (ie, without going through the normal post page). Therefore, it is still a good idea for each plugin to provide nonce security in addition to what WordPress already provides.

References

WordPress 2.0.3: Nonces - very good, but it does not mention the name parameter.

Author: Robert Clemenzi

WordPress - Security

nonce

URL: http:// mc-computing.com / ISPs / WordPress / Security.html