WordPress Nonce is a security feature in WordPress that helps prevent unauthorized access to actions and data on website.
Nonce stands for “Number Used Once.”
It is a unique token that WordPress generates to verify that a user that a user has the authority to perform a specific action.
In WordPress, Nonce are used to Protect against CSRF (Cross-Site Request Forgery) attacks. These attacks occur when a user unknowingly sends a request to website that they did not intend to make, often through malicious code on another site.
Nonce can help prevent can help prevent these attacks by ensuring that request are coming from legitimate sources.
Nonces can be added to forms, URLs, and AJAX requests to verify that the request came from a legitimate source
Why use a nonce?
For an example of why a nonce is used, consider that an admin screen might generate a URL like this that trashes posts number 123.
http://example.com/wp-admin/post.php?post=123&action=trashWhen you go to that URL, WordPress will validate your authentication cookie information and, if you’re allowed to delete that post, will proceed to delete it. What an attacker can do with this is make your browser go to that URL without your knowledge. For example, the attacker could craft a disguised link on a 3rd party page like this:
<img src="http://example.com/wp-admin/post.php?post=123&action=trash" />This would trigger your browser to make a request to WordPress, and the browser would automatically attach your authentication cookie and WordPress would consider this a valid request.
Adding a nonce would prevent this. For example, when using a nonce, the URLs that WordPress generate for the user look like this:
http://example.com/wp-admin/post.php?post=123&action=trash&_wpnonce=b192fc4204If anyone attempts to trash post number 123 without having the correct nonce generated by WordPress and given to the user, WordPress will send a “403 Forbidden” response to the browser.