Today, I am going to share with you a tip that how we can make our WordPress plugins are themes more secure. I have seen in my plugins and themes where WordPress developers are not using WordPress nonces even though it is VERY important. If you are working as a WordPress freelancer developer and g custom plugins or themes, I am sure this article is going to be very helpful for you.

  • Custom WP


What actually WordPress nonce means?

WordPress Nonce basically in short is the term used for number used once. It’s a string value, a temporary unique key which is generated by the WordPress automatically and act as a special security token to check whether you are the same person who’s performing an action or someone else while submitting a form, adding a post, deleting a post etc.

Why we should use WordPress nonce?

The main purpose of nonce is to protect your site from malicious hacking attacks such as Cross Site Request Forgery (CSRF) or sometimes pronounced sea-surf or XSRF, which is used to trick someone to submit a form or click on a link which will cause harm to your site.

How nonce works in WordPress?

It is very simple. As I mentioned it earlier that it is generated by the WordPress itself and when a form is submitted or a link is clicked, the WordPress checks the nonce value and if it matches, you are free to proceed.

A thing to remember, you don’t need to do anything about nonce in those forms or links which are generated by WordPress, like “add post”, “edit post”, but you have to use nonce in your custom build plugins or themes you will create later.

How to use nonce in WordPress?

Before we walk you through with a complete example on how to implement a nonce in a form or in URL, lets us understand that how the nonce works in WordPress.

There are three steps which we must follow to implement a nonce in WordPress plugin or a theme:

1. How to create a nonce.
2. How to pass a nonce through a Form or URL.
3. How to verify a nonce before doing a specific action.

1. How to create a nonce?

To create a nonce, there is a function name “wp_create_nonce ($action)”, which generates and return a unique value based on the current time and the $action.
The “$action” parameter is optional but recommended, $action parameter refers what will happen.


2. How to pass a nonce through a Form or URL?

How to pass a nonce in URLs.

How to pass a nonce in Forms.

We use “wp_nonce_field($action,$name)” to pass a nonce through forms. wp_nonce_field() function will generate a hidden input field which stores a nonce value and can be retrieved later on.

The parameter “name_of_my_action” is the context in which you are using the nonce field and “name_of_nonce_field” is any name you want to specify. Default is “_wpnonce”. It’s better to use $action and $name parameter for better security.

3. How to verify a nonce?

After putting into form you can get it like this:



In this example we are creating a form and an embed nonce field in it. This form can be used for your contact page or anything you like for your site where you are taking inputs from users.

The HTML code for the form is (notice the wp_nonce_field function):

So, you have your contact form ready and now want to take the data from form inputs and process it. Form Inputs are the doors where mostly malicious attacks happen and hackers run anything they like. So, you should properly sanitize your inputs which are very important for your website security.

Here is how you will verify nonce in your contact form.



Custom WordPress Custom WP WordPress