I have a log out link in the main header menu, when you click on the link to log out, you are redirected to the page asking if you really want to log out. I know it’s doing this because there is no nonce in the menu URL. My question is: is it even possible … Read more
Is wp_nonce_field vulnerable if you know the action name? I am actually adding a hidden field with name = the name of the action name in my form so that my plugin can identify it. I want to know if there’s security issues if I am making my action name “visible”? edit: I am actually … Read more
I would like to understand the best practices regarding nonce validation in REST APIs. I see a lot of people talking about wp_rest nonce for REST requests. But upon looking on WordPress core code, I saw that wp_rest is just a nonce to validate a logged in user status, if it’s not present, it just … Read more
I want to use check_ajax_referer() to verify a WP_nonce field using AJAX. Here you can find my html element. <input type=”hidden” name=”login_nonce” value=”<?= wp_create_nonce(‘login_nonce’); ?>”/> Using jQuery I’m sending all the values from input fields to a POST request: request = $.ajax({ type: ‘POST’, url: ‘handle-login.php’, data: { user: $(‘input[name=”login_username”]’).val(), pass: $(‘input[name=”login_password”]’).val(), security: $(‘input[name=”login_nonce”]’).val() }, … Read more
I formerly had the JSON API and JSON USER API plugins working before 4.7 and I have seen the documentation at the ReST API User reference, https://developer.wordpress.org/rest-api/reference/users/#create-a-user%20%22ReST%20API%20reference but I don’t know how to get started. I’m sure there is an authentication procedure that must happen first to get a nonce, but I don’t know how … Read more
It’s clear that form submissions and AJAX requests, especially sensible ones, need “nonces” to avoid certain exploits. However, with heavy use of caching systems it becomes harder to generate them and output fresh nonces instead of cached ones. To solve the problem I thought about creating an AJAX function that returns a fresh nonce, to … Read more
I am trying to understand how WordPress nonces work in terms of security. nonce stands for a number used once, but according to WordPress, it can be valid for up to 24 hours, which makes no sense. It could be used 9999 times during this period (by same client). I thought that a WordPress nonce … Read more
I am aware of the fact that we can alter nonce life time using filter , 30 seconds here: add_filter( ‘nonce_life’, function () { return 30; } ); I have a logout() function for my rest api .I wish to expire a nonce that i created after successful login :$nonce = wp_create_nonce( ‘login’.$user_id ); 1 … Read more
I’ve read that nonces are meant to be for one time use only, and after an ajax request, you should issue a new nonce so with the next ajax request, a new nonce would be sent to the server. However, I just tested repeated ajax requests using the same nonce token, and for each request … Read more
We’ve got a small web application that allows users to log in (via WordPress) and remain logged in for a max 15 min session for security purposes. Because most sessions will last longer, I have a small ajax call that’s made on each click of the html document itself. The ajax call itself fires to … Read more
