Improving security in Wordpress plugins using Nonces

Using a nonce (number used once)  is the best way to protect your plugin against a cross-site request forgery (CSRF) hacker-attack. Nonces are used on requests (saving options in admin, Ajax requests,  performing an action etc) and prevent unauthorized access by providing a secret 'key' and checking it each time the code is used.

Nonces in WordPress

Nonces work in the following way:

1. First you generate a nonce with a unique identifier
2. You pass the nonce along other query data (link or form) to you script
3. You verify the nonce before doing anything else

In order to create a nonce you can use wp_create_nonce() function.

$nonce= wp_create_nonce  ('my-nonce');

Next, pass the value of $nonce as a parameter in your request. For example:

<a href="myplugin.php?_wpnonce=<?php echo $nonce ?>">

You can use wp_verify_nonce() function to check the nonce before you perform any other action in the plugin.

$nonce=$_REQUEST['_wpnonce'];

if (! wp_verify_nonce($nonce, 'my-nonce') ) die("Security check");

And that's all! If you thought it can't be any easier than this you'd be wrong.

Using nonce functions

WordPress provides couple of functions to simplify the usage of nonces even more.

For your forms you can use wp_nonce_field() which will output a hidden field with a nonce. Place the function somewhere inside your form.  For example:

<form action=... >

<?php wp_nonce_field('my-nonce'); ?>

...

</form>

If you want to add a nonce to a link, you can use wp_nonce_url() function.

For example:

<a href="<?php wp_nonce_url($url, 'my-nonce'); ?>">

If you are using the plugin on administration pages you can then use check_admin_referer() function to check the nonce. For example:

check_admin_referer( 'my-nonce');

It will automatically extract the nonce from query parameters (_wpnonce) and verify it.

Nonce and Ajax scripts

it's easy to use nonce in your Ajax scripts.  First create a nonce using wp_create_nonce().

$nonce= wp_create_nonce  ('my-nonce');

Then pass the nonce as _ajax_nonce parameter somewhere in your Ajax call:

$("#text").load(".../ajax_response.php?_ajax_nonce=<?php echo $nonce ?>");

To check the nonce in ajax_response.php use check_ajax_referer() function:

check_ajax_referer('my-nonce');

Here is another example (taken from Live Blogroll) plugin:

$nonce = wp_create_nonce( 'wp-live-blogroll' );
...
jQuery.ajax({
type: "GET",
url: '<?php echo $wp_live_blogroll_plugin_url ?>/wp-live-blogroll-ajax.php',
timeout: 3000,
data: {
link_url: this.href,
_ajax_nonce: '<?php echo $nonce ?>'
},
success: function(msg) {
jQuery('#lb_popup').html(msg);
jQuery('#lb_popup').fadeIn(300);
},
error: function(msg) {
jQuery('#lb_popup').html('Error: ' + msg.responseText);
}
})

Receiving file:

function WPLiveRoll_HandleAjax($link_url)
{
// check security
check_ajax_referer( "wp-live-blogroll" );

Including nonces should not take more than 5 minutes for most plugins, and it is something all plugin authors (including me!) should work on.

Continue reading:

• Best practice for adding JavaScript code to WordPress plugins
• 5 cool WordPress plugins you never heard about
• Adding boxes to WordPress 2.5+ Write Post panel