In WordPress, a nonce is a security feature used to protect URLs and forms from being hacked. This is done by adding a unique single-use number to a URL.
For example, when you delete a comment from the comment moderation screen, WordPress adds a nonce key to the URL like this:
http://www.example.com/wp-admin/comment.php?c=16570&action=deletecomment&_wpnonce=389c3b47b9
How Do Nonces Protect Your WordPress Site?
Some WordPress functions and features use a query string in the URL to perform certain actions. Nonces are used to randomize these strings so they can’t be guessed and misused by hackers.
WordPress uses the constants NONCE_SALT and NONCE_KEY to generate unique nonces. These nonce salts and security keys, along with other unique keys, are stored in wp-config.php
file and are unique to each WordPress site.
Nonce Verification and Error Messages
When a URL with a nonce key is executed, it goes through a verification check.
If this check fails, then WordPress returns a 403 Forbidden response and an error message, ‘Are you sure you want to do this?‘.
This error may be caused by a poorly coded plugin or theme, which causes the nonce verification to fail.
To fix this issue, a user can turn off all plugins and activate them one by one to figure out which one of them is causing the error.
For themes, switching back to a default theme and then trying to reproduce the error could point out that the previous theme in use was causing the issue.
We hope this article helped you learn more about nonces in WordPress. You may also want to see our Additional Reading list below for related articles on useful WordPress tips, tricks, and ideas.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.