With help of our support team WordPress Support Services let’s work on how to Add Nonce field to form WordPress. Bobcares offers solutions to your WordPress issues.

Using the Nonce field to form WordPress

Nonces is the best way to protect users from threats. These are used to secure actions of users, initiated by the plugin such as the submission of a form, the deletion of posts, or anything else that could expose the database.

The nonce is short for “number used once” and they are used in cryptography for securing data by sending a one-time numeric code next to them.

The process is a fairly simple two-step process: Generate a nonce at the origin of an action and validate it at the target. You will only need to know a couple of functions:

Adding Nonces to Forms

To add Nonce to a form, you will need to update a hidden field with a name and a value. WordPress has covered with the wp_nonce_field() function.

You can even use it with one parameter:

This would create two fields: one for the nonce and one for a referrer, which WordPress can also check.

The function gives you four parameters:

The initial parameter defines the action that needs to take with the nonce. This won’t show up in the field. However it is contained in the hash.

The next parameter modifies the name, by default called as _wpnonce.

The third parameter known as a boolean value, which controls whether or not referrer is checked (true by default).

Finally, the last parameter is a boolean, determines whether or not the field is echoed – it is true by default.

One important rule to note is: Always make the action name (the first parameter) as specific as possible. Don’t just name as “delete-post”, make it “delete-post-[post_ID].

On the other end, you will need to verify the nonce. Where the form’s action parameter needs to verify the nonce. Use this simple code:

if ( ! isset( $_POST['field_name'] ) || ! wp_verify_nonce( $_POST['field_name'], 'action_name' ) 
) {
  // Do something if the nonce does not verify
  exit();
} 

// Process your form

This will only work if the form uses the post method. You should be using post for any sensitive method.

Adding Nonces To URLs

Sometimes you need to initiate an action through a link. Especially in the admin area. Since links will essentially pass on as query parameters, you can easily tack them on to links as well.

You can use the function wp_nonce_url() to work. Here’s how:

$delete_link = wp_get_shortlink( get_the_ID() ) . '&delete=true';
$nonced_link = wp_nonce_url( $delete_link, 'delete-post-' . get_the_ID(), '_mynonce' );

The end result will show up with URL, that looks like this:

http://mysite.com?p=553&_mynonce=7278c82a8f3.

This is related to what we did with forms. The only difference is that the nonce passed in the URL as GET parameters.

You can verify the nonce using much the same as previous method. This time add the proper action name with the ID, and use GET variables.

if ( ! isset( $_GET['_mynonce'] ) || ! wp_verify_nonce( $_GET['_mynonce'], 'delete-post-' . $_GET['p'] ) 
) {
  // Do something if the nonce does not verify
  exit();
} 

// Process your form

[Looking for a solution to another query? We are just a click away.]

Conclusion

To conclude, Nonces is the best way to protect users from threats. From this article, you have seen Adding Nonces to Forms method and how to add Nonces To URLs.