My wordpress site sits behind Akamai, which is a cacheing service similar to Cloudflare. I make the following API call: GET /wp-json/mytheme/v1/get-posts?post_type=videos This is done using apiFetch from ‘@wordpress/api-fetch’; And it automatically includes this in the request header X-WP-Nonce: 12323423 This works fine until 24 hours later, when the nonce expires. The cache still continues … Read more
I’m trying to verify that the nonce I created exists but for some reason it keeps returning false, why is this happening? Creating my nonce: <?php wp_nonce_field(‘test_slider_action’,’test_slider_options_nonce’); ?> Verifying my nonce exists: if($_POST && wp_verify_nonce($_REQUEST[‘test_slider_options_nonce’])) echo “TEST”; if I dump my $_REQUEST I get the correct value, but if I dump my wp_verify_nonce it returns … Read more
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. Closed 9 years … Read more
On using inspect element to check the ‘href’ attribute of ‘Deactivate’ links for the plugins listed on plugins.php page, I found that the url contains a wpnonce field with a certain value. I need to get this value. For eg, <a href=”https://wordpress.stackexchange.com/questions/115624/plugins.php?action=deactivate&plugin=my-custom-css%2Fmy-custom-css.php&plugin_status=all&paged=1&s&_wpnonce=08a2b0d940″ title=”Deactivate this plugin”>Deactivate</a> How do I get this value ’08a2b0d940′ as in the … Read more
Here’s an interesting experiment: Go to wordpress plugins listing page, notice the activate, deactivate links all have a nonce part in the request. In a second tab, log out of the site, and go back to plugin listing page. After awhile, the page realizes it’s not logged in, and pops up a log in screen. … Read more
Goal: I want to cache the full WordPress response via NGINX and exclusively use the REST API for the user specific parts. Issue: I can’t get an authenticated nonce to use against the API. My plan was to expose a rest endpoint that returns a valid nonce shown below: add_action( ‘rest_api_init’, function () { register_rest_route( … Read more
Alright, so let’s say you develop a website where you enqueue a js script on a page X of your frontend, using: wp_enqueue_script( ‘script_handle’, PATH_TO_SCRIPT, array(), ‘1.0.0’, true ); Inside this script, you use a simple AJAX request. You then use the nonce feature of wordpress to have what is stated as a safer AJAX … Read more
I have my wp-admin section forced to HTTPS via a plugin. I also have specific pages that are using https on the frontend (login, billing, etc.) I seem to be having an issue with HTTP pages using AJAX to HTTPS for admin-ajax.php the nonce fails. Is it possible to use HTTP nonce with HTTPS nonce? … Read more
W3C says there is a new attribute in HTML5.1 called nonce for style and script that can be used by the Content Security Policy of a website. I googled about it but finally didn’t get it what actually this attribute does and what changes when using it? 1 Answer 1
I am using a plugin which makes its code publicly available. Therefore, anyone can see the $action and $name parameters used to generate the nonces. Does this make my site more vulnerable since this reduces the added security provided by these parameters? Should I thus replace these parameters with my own values for them? Thanks. … Read more
