The nonce works for both<\/p>\n\n\n\n
use the logged in user ID and will not work for other users or if the user has logged out.<\/p>\n\n\n\n
$OurNonceField = wp_nonce_field( 'MySiteSomeUniqueNonceName', 'my_site_request_nonce', true, false ); \/\/Used to validate that the contents of the form request came from the current site and not somewhere else<\/code><\/pre>\n\n\n\n$OurNonceField = $_REQUEST['_wpnonce'];\nif (!wp_verify_nonce( $OurNonceField, 'MySiteSomeUniqueNonceName' ))\n die( 'Security check' ); \/\/Nonce is not valid.<\/code><\/pre>\n\n\n\nMySiteSomeUniqueNonceName
This field is actually defined as an action name, so you can set this differently per form on your site, so that it becomes individual form action based. However, from a basic security point of view just setting it away from the WP default is good security and using the same name sitewide is arguably good enough.<\/p>\n\n\n\n
my_site_request_nonce
The field name is used when submitting the nonce via POST or GET. This name is publically viewable.<\/p>\n\n\n\n
Using with Ajax Calls<\/h4>\n\n\n\n
PHP handles the WordPress user_id with an ajax call for you, so the nonce functions can still work and are tied to specific users. For security you should not pass the user_id yourself, instead use the wordpress function to get it<\/p>\n\n\n\n
\/\/PHP create nonce\n$AjaxNonce = wp_create_nonce( 'my-nonce-special-string' );\n\n\n\/\/Javascript use it\n var post_data = {\n 'action': 'my_ajax_callback', \/\/The name of the ajax callback action in functions.php\n 'security': '$AjaxNonce',\n 'my_value_1': 9876\n };\n\n jQuery.post(ajaxurl, post_data);\n\n\n\/\/PHP Verify it in the ajax function\n check_ajax_referer('my-nonce-special-string', 'security'); \/\/Check the nonce (nonces are tied to the user ID which is handled by php). Will die(); if security cannpot be verified\n $user_id = get_current_user_id(); \/\/Use this if your function wants the wordpress user_id<\/code><\/pre>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Logged in \/ Not logged in The nonce works for both wp_create_nonce() and wp_verify_nonce() use the logged in user ID and will not work for other users or if the user has logged out. MySiteSomeUniqueNonceNameThis field is actually defined as an action name, so you can set this differently per form on your site, so […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[180,346,191],"tags":[],"class_list":["post-2303","post","type-post","status-publish","format-standard","hentry","category-ajax-wordpress","category-forms-wordpress","category-nonces"],"_links":{"self":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/2303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/comments?post=2303"}],"version-history":[{"count":5,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/2303\/revisions"}],"predecessor-version":[{"id":5104,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/2303\/revisions\/5104"}],"wp:attachment":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/media?parent=2303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/categories?post=2303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/tags?post=2303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}