Nonce actions and names available via open source

I am using a plugin which makes its code publicly available.

Therefore, anyone can see the $action and $name parameters used to generate the nonces.

Does this make my site more vulnerable since this reduces the added security provided by these parameters? Should I thus replace these parameters with my own values for them?

Thanks.

1 Answer
1

Specific to nonce there is nothing to worry about as there is a third private parameter which is kept in secret (one of the keys added in your wp_config.php file).

In general, there is no such thing as “closed source”, and all code can be read and interpreted by anyone that is willing to dedicate the time. The fact that it is easier for you to see how the code works do not make it by default better or worse security wise, and each case needs to be evaluated on its own merit.

In your case for example, the calculation of the nonce might be done perfectly but it might be made public because of some bug in the code.

Leave a Comment