I know that wp_verify_nonce() is used to make sure that the $_POST is coming from a safe place.
I am developing a WordPress plugin which creates custom lists. In order to do that the web site owner has to access to the plugin settings login in your wp-admin server.
Is necessary to use wp_create_nonce() & wp_verify_nonce() if the form can only been accessed after wp-admin login?
1 Answer
Yes, nonces should always be used when an authenticated user is triggering an action via a GET/POST request. One of the main purposes of the nonce is it ensure that the current user actually intended to trigger this request. It prevents the security vulnerability known as Cross-Site Request Forgery (CSRF), where an attacker can trick an authenticated user into taking an action they didn’t intend to. Checking for a valid nonce prevents this, because the attacker cannot guess the nonce, so they can’t forge a form submission request and trick an admin into submitting it.
Note that the the attacker doesn’t have to have access to the form itself, as your plugin presents it, in order to perform this attack. They can create their own imitation form or trigger the request in another way.
