Using a nonce (number used once) is the best way to protect your plugin against a cross-site request forgery (CSRF) hacker-attack. Nonces are used on requests (saving options in admin, Ajax requests, performing an action etc) and prevent unauthorized access by providing a secret ‘key’ and checking it each time the code is used.
Nonces in WordPress
Nonces work in the following way:
1. First you generate a nonce with a unique identifier
2. You pass the nonce along other query data (link or form) to you script
3. You verify the nonce before doing anything else
In order to create a nonce you can use wp_create_nonce() function.
$nonce= wp_create_nonce (’my-nonce’);
Next, pass the value of $nonce as a parameter in your request. For example:
<a href=”myplugin.php?_wpnonce=<?php echo $nonce ?>”>
You can use wp_verify_nonce() function to check the nonce before you perform any other action in the plugin.
$nonce=$_REQUEST[\_wpnonce];
if (! wp_verify_nonce($nonce, ‘my-nonce’) ) die(”Security check”);
And that’s all! If you thought it can’t be any easier than this you’d be wrong.
Using nonce functions
WordPress provides couple of functions to simplify the usage of nonces even more.
For your forms you can use wp_nonce_field() which will output a hidden field with a nonce. Place the function somewhere inside your form. For example:
<form action=… >
<?php wp_nonce_field(’my-nonce’); ?>
…
</form>
If you want to add a nonce to a link, you can use wp_nonce_url() function.
For example:
<a href=”<?php wp_nonce_url($url, ‘my-nonce’); ?>”>
If you are using the plugin on administration pages you can then use check_admin_referer() function to check the nonce. For example:
check_admin_referer( ‘my-nonce’);
It will automatically extract the nonce from query parameters (_wpnonce) and verify it.
Nonce and Ajax scripts
it’s easy to use nonce in your Ajax scripts. First create a nonce using wp_create_nonce().
$nonce= wp_create_nonce (’my-nonce’);
Then pass the nonce as _ajax_nonce parameter somewhere in your Ajax call:
$(”#text”).load(”…/ajax_response.php?_ajax_nonce=<?php echo $nonce ?>”);
To check the nonce in ajax_response.php use check_ajax_referer() function:
check_ajax_referer(’my-nonce’);
Here is another example (taken from Live Blogroll) plugin:
$nonce = wp_create_nonce( ‘wp-live-blogroll’ );
…
jQuery.ajax({
type: “GET”,
url: ‘<?php echo $wp_live_blogroll_plugin_url ?>/wp-live-blogroll-ajax.php’,
timeout: 3000,
data: {
link_url: this.href,
_ajax_nonce: ‘<?php echo $nonce ?>’
},
success: function(msg) {
jQuery(’#lb_popup’).html(msg);
jQuery(’#lb_popup’).fadeIn(300);
},
error: function(msg) {
jQuery(’#lb_popup’).html(’Error: ‘ + msg.responseText);
}
})
Receiving file:
function WPLiveRoll_HandleAjax($link_url)
{
// check security
check_ajax_referer( “wp-live-blogroll” );
Including nonces should not take more than 5 minutes for most plugins, and it is something all plugin authors (including me!) should work on.
Original Source:
Related Stuff
The Ultimate Wordpress SEO ChecklistHey everyone, I am back. This post is going to be about Wordpress SEO. It’s a checklist of the steps you should take to ensure that ...
Essential WordPress SEO PluginsSEO is a critical part of getting people to your site and these WordPress plugins help you acheive your goals quickly and ...
WordPress Configuration TricksMany WordPress users know the wp-config.php file as the key to the WordPress database. It is where you set the database name, username, ...
WordPress as a Comic Publishing PlatformThis post was spurred along by a comment at webcomics.com which has since been deleted, though I’ve been meaning to write something ...
8 WordPress Plugins to make your 404 error pages user friendly & efficient404 error pages are unavoidable, they creep in somehow no matter how well you build your site. But its normal. 404 error pages could appear ...