About WordPress Nonces

The main objective of the WordPress tokens is to protect the website URLs from malicious or any other wrongdoings. This is actually a combination of alphanumeric characters that is not easy to comprehend. However, the WordPress tokens have a limited time of validity, after which it expires. Once the token expires it will generate for a given individual in a given scenario. Once the token is assigned for a specific individual, it won’t change until the life cycle of the token is completed. The WordPress tokens provide security against various types of attacks such as Cross-site request forgery, also known as one-click attack or session using. The tokens are not well-known for the replay attacks due to the fact that it is not used for one-time use. The functions can be protected using current_user_can(). The tokens cannot be dependent upon authentication or authorization, access control.

Example of using WordPress token:

http://example.com/wp-admin/post.php?post=789&action=trash&_wptoken=c654cg4924

Any attempt to modify the URL will cause the token to be invalid and attempts to fail

http://example.com/wp-admin/post.php?post=256&action=trash&_wptoken=f789nm6478

In case of invalid token, “403 Forbidden” response to the browser, with the error message: “Are you sure you want to do this?”

Creating a token

There are various methods to create token such as adding the query string to the URL or can be added in a filed which is hidden. Tokens which use AJAX request often add the tokens to the hidden field and then JavaScript code can be easily fetched. It is to be noted that the every tokens are different for every individual, so in case if an individual logs out and in asynchronously the existing token on the page will not be valid.

Adding a token to a URL

Token can be added to a URL by calling wp_token_url() where you have to specify the bare URL also specifying the string indicating the action.

$complete_url = wp_token_url( $bare_url, ‘trash-post_’.$post->ID );

Security level can be highest when we specifically write down the string indicating the action. A default field name wptoken is added by the wp_token_url() function. Here we can specify any name in the function call. For example:

$complete_url = wp_token_url( $bare_url, ‘trash-post_’.$post->ID, ‘our_token’ );

Adding a token to a form

Adding a token to a form is done by calling wp_token_field() which specify the string which indicates action. There are two hidden fields generated by wp_token_field() and they are:

1) Generated hidden value will be the token.

2) Generated hidden value is the current URL (the referrer) and it will display the result. For example:

wp_token_field( ‘delete-comment_’.$comment_id );

Which could display like:

<input type=”hidden” id=”_wptoken” name=”_wptoken” value=”895b4455q1″ />
<input type=”hidden” name=”_wp_http_referer” value=”/wp-admin/add-comments.php” />

It is to be noted that the string indicating the action must be specific. The individual has the following privileges:

1) Can enter a different name for the token field.

2) Can set the option that you don’t want a referrer field.

3) Can set the options to return the results and not displayed.

Creating a token for use in another way

Another method used to create a token is to call wp_create_token() providing a string indicating the action. For example:

$token = wp_create_token( ‘my-action_’.$post->ID );

Which will return the token, for example: 387b484257. It is to be noted that string indicating the action must be provided.

Verifying a token

There is a provision to check a token such as:

1) Which was passed in a URL or in a form in an admin screen or

2) In an AJAX request

3) In any other situation.

Verifying a token passed from an admin screen

It is possible to check the token which was passed in a URL or in a form in an admin screen by calling check_admin_referer() which defines the string indicating the action. For example:

check_admin_referer( ‘add-comment_’.$comment_id );

In this the token and referrer are checked and if it fails the normal actions will be proceeded, that is terminating script execution with a “403 Forbidden” response and an error message. It is best to specify the field name while creating the token, for example:

check_admin_referer( ‘add-comment_’.$comment_id, ‘my_token’ );

Verifying a token passed in an AJAX request

Token which was passed can be verified in an AJAX request by calling check_ajax_referer() which define the string indicating the action. For example:

check_ajax_referer( ‘run-comment’ );

It will check the token (not the referrer) and if any fail occurs then it will terminate execution of the script by default. It is to be noted that while creating the token either one of the default field names must be used (_wptoken or _ajax_token) or additional parameters can be used to perform other actions instead of terminating the execution.

Verifying a token passed in any other situation

It is possible to verify the token which was passed in any other context by calling wp_verify_token() defining the token and the string indicating the action. For example: