Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

WordPress How to Make a Website with WordPress Plugin Best Practices Finding, Installing and Updating WordPress Plugins

Juliette Tworsey
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points
Posted by Juliette Tworsey
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points

Wordpress Nonces

I came across this article on WP nonces the other day and I was wondering if plugins that allow reader input (ie., via forms, comments, commerce, etc...) create the need for nonces.

What is the best approach to security on Wordpress? I'm familiar with htmlspecialchars in PHP forms, but this is new territory for me. This is the first that I have even heard of nonces. Are they an effective way to prevent hackers from breaking into your site(s)?

Thanks in advance:-)

4 Answers

Kevin Korte
Kevin Korte
28,148 Points
Kevin Korte
Kevin Korte
28,148 Points

It's not because of plugins, it is just general form inputs that create the need for what wordpress calls a nonce, or number-used-once (although it's more of a hash, not a straight number).

They are effective at preventing some sorts of attacks, mostly CSRF attacks. Rails, a framework in Ruby, also includes what they call csrf tokens by default on every single form for the same reason.

What it's protecting against is someone else, on another site, posting a form to your site. By default there is nothing to stop that. My domain kevin.xyz could have a form that posts to juliette.xyz, because looking at your site, I could see where your form posts, and the name attributes you used, so I could duplicate that. A user takes action on my end, it posts to your site....ouuttt oh!

If the form generated a nonce, or a random hash, the hash will also be submitted with the form. If the hash that gets submitted with the form does not match the hash the server was expecting, the form doesn't post, it gets a forbidden error. In the case of nonce, they have a short time to live, so if I was a loser with no life, I could see your nonce and update my form to use your nonce, but I'd have to constantly be checking and updating the nonce, to the point it becomes too cumbersome to do.

It's also great when a form is doing an action, like creating or deleting, you can check the nonce to be reasonably sure the request is actually valid.

Juliette Tworsey
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points
Juliette Tworsey
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points

Whoosh! Thanks for such an in depth response Kevin.

So basically a nonce (although via a different approach) protects a site that has forms/user input much like that of htmlspecialchars? I'm going to have to read this again in the morning to fully grasp what you have explained here to me. I think that I get the concept though.

How do I generate a nonce in a form field &/or create/delete action on Wordpress? Is there a good place to learn about this more in depth?

Thanks again:-)

Kevin Korte
Kevin Korte
28,148 Points
Kevin Korte
Kevin Korte
28,148 Points

It does protect a site but it does it differently tan htmlspecialchars. That's really for sanatizing input against someone submitting code in an input box.

A nonce keeps someone else, submitting a form from their site, to yours as example. This kind of attack is called a cross-site request forgery. WP just calls them a nonce. Again, in Rails they are simply called a csrf token, exact some thing.

To use, first you want to create the nonce using wp_create_nonce when you are loading the page that has the form.

https://codex.wordpress.org/Function_Reference/wp_create_nonce

There are examples on how you can build a url to use a get request to include the nonce on that page.

If it's in the form, the nonce should be in a hidden field in the form. You can add that using the wp_nonce_field. There are optional arguments which I suggest you follow the codex's advice and use the optional arguments as they indicate.

https://codex.wordpress.org/Function_Reference/wp_nonce_field

This would create a field in your form like this:

<form action="form.php" method="POST">
<input type="hidden" value="kdfdjhIU8DKHj3dkf7dFJ2ddfD9kdre3kdhjfijEfg">
<input type="text" name="name">
<input type="email" name="email">
<input type="text" name="location">
<input type="submit" value="Submit">
</form>

My form is super simplified, and hopefully my syntax is right from memory, but you can what that nonce field might look for instance.

Finally, we get a form submit, we first check for the form submit, and than check the nonce. When your're checking the form, you can just see if the nonce's match using the wp_verify_nonce function.

That's the general overall picture.

Deddeaw Laosinchai
Deddeaw Laosinchai
2,631 Points

This is the first time I have a clear image of nonce.

Kevin Korte
Kevin Korte
28,148 Points
Kevin Korte
Kevin Korte
28,148 Points

Glad to know it was helpful :)

Juliette Tworsey
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points
Juliette Tworsey
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points

That does help me to get an idea of the overall picture. The whole idea seemed very abstract to me at first.. The only thing that I am left wondering about is the use of a form plugin and whether or not I would have to modify the code of the plugin itself in order to assign a nonce to a form.

Maybe it's better to just put everything that I have learned here into use via an actual template(s)? In other words, maybe there's an advantage to creating your own forms in Wordpress (?). ..or maybe some form plugins already utilize nonces or something equivalent?

Thanks again for all of the time that you have taken to explain the concept to me:-)

Juliette Tworsey
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points
Juliette Tworsey
.a{fill-rule:evenodd;}techdegree seal-36
Juliette Tworsey
Front End Web Development Techdegree Graduate 32,425 Points

Hi Deddeaw,

I agree...and it has become even more clear to me after coming back to read Kevin's replies after not thinking about it for awhile. I'm glad that I checked my inbox this morning:-)