Using a nonce (number used once) is the best way to protect your plugin against a cross-site request forgery (CSRF) hacker-attack. Nonces are used on requests (saving options in admin, Ajax requests, performing an action etc) and prevent unauthorized access by providing a secret ‘key’ and checking it each time the code is used.
Nonces in WordPress
Nonces work in the following way:
1. First you generate a nonce with a unique identifier
2. You pass the nonce along other query data (link or form) to you script
3. You verify the nonce before doing anything else
In order to create a nonce you can use wp_create_nonce() function.
$nonce= wp_create_nonce (’my-nonce’);
Next, pass the value of $nonce as a parameter in your request. For example:
<a href=”myplugin.php?_wpnonce=<?php echo $nonce ?>”>
You can use wp_verify_nonce() function to check the nonce before you perform any other action in the plugin.
$nonce=$_REQUEST[\_wpnonce];
if (! wp_verify_nonce($nonce, ‘my-nonce’) ) die(”Security check”);
And that’s all! If you thought it can’t be any easier than this you’d be wrong.
Using nonce functions
WordPress provides couple of functions to simplify the usage of nonces even more.
For your forms you can use wp_nonce_field() which will output a hidden field with a nonce. Place the function somewhere inside your form. For example:
<form action=… >
<?php wp_nonce_field(’my-nonce’); ?>
…
</form>
If you want to add a nonce to a link, you can use wp_nonce_url() function.
For example:
<a href=”<?php wp_nonce_url($url, ‘my-nonce’); ?>”>
If you are using the plugin on administration pages you can then use check_admin_referer() function to check the nonce. For example:
check_admin_referer( ‘my-nonce’);
It will automatically extract the nonce from query parameters (_wpnonce) and verify it.
Nonce and Ajax scripts
it’s easy to use nonce in your Ajax scripts. First create a nonce using wp_create_nonce().
$nonce= wp_create_nonce (’my-nonce’);
Then pass the nonce as _ajax_nonce parameter somewhere in your Ajax call:
$(”#text”).load(”…/ajax_response.php?_ajax_nonce=<?php echo $nonce ?>”);
To check the nonce in ajax_response.php use check_ajax_referer() function:
check_ajax_referer(’my-nonce’);
Here is another example (taken from Live Blogroll) plugin:
$nonce = wp_create_nonce( ‘wp-live-blogroll’ );
…
jQuery.ajax({
type: “GET”,
url: ‘<?php echo $wp_live_blogroll_plugin_url ?>/wp-live-blogroll-ajax.php’,
timeout: 3000,
data: {
link_url: this.href,
_ajax_nonce: ‘<?php echo $nonce ?>’
},
success: function(msg) {
jQuery(’#lb_popup’).html(msg);
jQuery(’#lb_popup’).fadeIn(300);
},
error: function(msg) {
jQuery(’#lb_popup’).html(’Error: ‘ + msg.responseText);
}
})
Receiving file:
function WPLiveRoll_HandleAjax($link_url)
{
// check security
check_ajax_referer( “wp-live-blogroll” );
Including nonces should not take more than 5 minutes for most plugins, and it is something all plugin authors (including me!) should work on.
Original Source:
Related Stuff
Google Buzz Button Wordpress Plugin ReleasedIf you are looking for a Google Buzz button to add into your Wordpress site then we have released the first Wordpress plugin exclusively ...
Plug And Play Ecommerce With Wordpress PluginsSince 2003 Wordpress has slowly been gaining popularity amongst the elite of the internet, the bloggers. It is one of those few things ...
Add Google Search to Your WordPress BlogThe native WordPress search does not return very relevant results, thus it makes a lot of sense to add Google Search into your WordPress ...
Add More Sidebars to Your WordPress ThemeYou can add more than one sidebar section to your WordPress site. For example, with the stc-intermountain.org site, I added a whole bunch ...
Series Posting in WordpressIn my functions.php file, I have some code which implements series posting. This relies on the thematic ...