wp_create_nonce( string|int $action = -1 )

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

Contents

Description Description

Parameters Parameters

$action

(string|int) (Optional) Scalar value to add context to the nonce.

Default value: -1

Top ↑

Return Return

(string) The token.

Top ↑

Source Source

File: wp-includes/pluggable.php 

	function wp_create_nonce( $action = -1 ) {
		$user = wp_get_current_user();
		$uid  = (int) $user->ID;
		if ( ! $uid ) {
			/** This filter is documented in wp-includes/pluggable.php */
			$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
		}

		$token = wp_get_session_token();
		$i     = wp_nonce_tick();

		return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
4.0.0 Session tokens were integrated with nonce creation
2.0.3 Introduced.

Top ↑

Top ↑

Uses Uses

Uses
Uses Description
wp-includes/user.php: wp_get_session_token()

Retrieve the current session token from the logged_in cookie.
wp-includes/pluggable.php: wp_nonce_tick()

Returns the time-dependent variable for nonce creation.
wp-includes/pluggable.php: wp_hash()

Get hash of given string.
wp-includes/pluggable.php: nonce_user_logged_out

Filters whether the user who generated the nonce is logged out.
wp-includes/pluggable.php: wp_get_current_user()

Retrieve the current user object.
wp-includes/plugin.php: apply_filters()

Calls the callback functions that have been added to a filter hook.
Show 1 more use Hide more uses

Top ↑

Used By Used By

Used By
Used By Description
wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php: WP_Privacy_Data_Removal_Requests_List_Table::column_email()

Actions column.
wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php: WP_Privacy_Data_Removal_Requests_List_Table::column_next_steps()

Next steps column.
wp-admin/includes/ajax-actions.php: wp_ajax_rest_nonce()

Ajax handler to renew the REST API nonce.
wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php: WP_Privacy_Data_Export_Requests_List_Table::column_email()

Actions column.
wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php: WP_Privacy_Data_Export_Requests_List_Table::column_next_steps()

Displays the next steps column.
wp-admin/includes/theme.php: resume_theme()

Tries to resume a single theme.
wp-admin/includes/class-wp-site-health.php: WP_Site_Health::get_test_rest_availability()

Test if the REST API is accessible.
wp-admin/includes/class-wp-site-health.php: WP_Site_Health::enqueue_scripts()

Enqueues the site health scripts.
wp-admin/includes/plugin.php: resume_plugin()

Tries to resume a single plugin.
wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php: WP_REST_Autosaves_Controller::prepare_item_for_response()

Prepares the revision for the REST response.
wp-includes/script-loader.php: wp_default_packages_inline_scripts()

Adds inline scripts required for the WordPress JavaScript packages.
wp-admin/includes/misc.php: wp_refresh_heartbeat_nonces()

Add the latest Heartbeat and REST-API nonce to the Heartbeat response.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::handle_load_themes_request()

Load themes into the theme browsing/installation UI.
wp-includes/script-loader.php: wp_localize_community_events()

Localizes community events data that needs to be passed to dashboard.js.
wp-admin/includes/ajax-actions.php: wp_ajax_install_theme()

Ajax handler for installing a theme.
wp-admin/includes/ajax-actions.php: wp_ajax_install_plugin()

Ajax handler for installing a plugin.
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::get_nonces()

Get nonces for the Customizer.
wp-includes/class-wp-customize-nav-menus.php: WP_Customize_Nav_Menus::filter_nonces()

Adds a nonce for customizing menus.
wp-includes/rest-api.php: rest_cookie_check_errors()

Checks for errors when using cookie-based authentication.
wp-admin/includes/class-wp-comments-list-table.php: WP_Comments_List_Table::handle_row_actions()

Generate and display row actions links.
wp-admin/includes/class-wp-media-list-table.php: WP_Media_List_Table::column_parent()

Handles the parent column output.
wp-includes/class-wp-customize-widgets.php: WP_Customize_Widgets::refresh_nonces()

Refreshes the nonce for widget updates.
wp-includes/customize/class-wp-customize-background-image-control.php: WP_Customize_Background_Image_Control::enqueue()

Enqueue control related scripts/styles.
wp-admin/includes/image-edit.php: wp_image_editor()

Loads the WP image-editing interface.
wp-admin/includes/misc.php: wp_refresh_post_nonces()

Check nonce expiration on the New/Edit Post screen and refresh if needed
wp-admin/includes/plugin-install.php: install_plugins_favorites_form()

Show a username form for the favorites page
wp-admin/includes/dashboard.php: _wp_dashboard_recent_comments_row()

Outputs a row for the Recent Comments widget.
wp-admin/includes/plugin.php: activate_plugin()

Attempts activation of plugin in a “sandbox” and redirects on success.
wp-admin/includes/class-wp-plugin-install-list-table.php: WP_Plugin_Install_List_Table::display_rows()
wp-admin/includes/template.php: compression_test()

Test support for compressing JavaScript from PHP
wp-admin/includes/template.php: _list_meta_row()

Outputs a single row of public meta data in the Custom Fields meta box.
wp-admin/includes/media.php: edit_form_image_editor()

Displays the image and editor in the post editor
wp-admin/includes/media.php: get_media_item()

Retrieve HTML form for modifying the image attachment.
wp-admin/includes/media.php: media_upload_form()

Outputs the legacy media upload form.
wp-admin/includes/post.php: _admin_notice_post_locked()

Outputs the HTML for the notice to say that someone else is editing or has taken over editing of this post.
wp-admin/includes/post.php: post_preview()

Saves a draft or manually autosaves for the purpose of showing a post preview.
wp-admin/includes/ajax-actions.php: wp_ajax_query_themes()

Ajax handler for getting themes from themes_api().
wp-admin/includes/ajax-actions.php: wp_ajax_replyto_comment()

Ajax handler for replying to a comment.
wp-admin/includes/revision.php: wp_prepare_revisions_for_js()

Prepare revisions for JavaScript.
wp-admin/includes/class-custom-image-header.php: Custom_Image_Header::step_1()

Display first step of custom header image page.
wp-includes/general-template.php: wp_heartbeat_settings()

Default settings for heartbeat
wp-includes/functions.php: wp_nonce_url()

Retrieve URL with nonce added to URL query.
wp-includes/functions.php: wp_nonce_field()

Retrieve or display nonce hidden field for forms.
wp-includes/media.php: wp_plupload_default_settings()

Prints default Plupload arguments.
wp-includes/media.php: wp_prepare_attachment_for_js()

Prepares an attachment post object for JS, where it is expected to be JSON-encoded and fit into an Attachment model.
wp-includes/media.php: wp_enqueue_media()

Enqueues all scripts, styles, settings, and templates necessary to use all media JS APIs.
wp-includes/customize/class-wp-customize-header-image-control.php: WP_Customize_Header_Image_Control::enqueue()
wp-includes/script-loader.php: wp_default_scripts()

Register all WordPress scripts.
Show 43 more used by Hide more used by

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note
    Contributed by Codex

    Example
    In this simple example, we create an nonce and use it as one of the GET query parameters in a URL for a link. When the user clicks the link they are directed to a page where a certain action will be performed (for example, a post might be deleted). On the target page the nonce is verified to insure that the request was valid (this user really clicked the link and really wants to perform this action).

    /*
 * Step A: Create an nonce for a link.
 * We pass it as a GET parameter.
 * The target page will perform some action based on the 'do_something' parameter.
 */
$nonce = wp_create_nonce( 'my-nonce' );
?>
<a href='myplugin.php?do_something=some_action&_wpnonce=<?php echo esc_attr( $nonce ); ?>'><?php esc_html_e( 'Do some action', 'textdomain' ); ?></a>


/*
 * Step B: This code would go in the target page.
 * We need to verify the nonce.
 */
$nonce = $_REQUEST['_wpnonce'];
if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) {
	// This nonce is not valid.
	die( __( 'Security check', 'textdomain' ) ); 
} else {
	// The nonce was valid.
	// Do stuff here.
}

    Expand full source codeCollapse full source code

    In the above example we simply called our nonce my-nonce. It is best to choose a name for the nonce that is specific to the action. For example, if we were to create an nonce that would be part of a request to delete a post, we might call it delete_post. Then to make it more specific, we could append the ID of the particular post that the nonce was for. For example delete_post-5 for the post with ID 5.

    wp_create_nonce( 'delete_post-' . $post_id );

    Then we would verify the nonce like this:

    wp_verify_nonce( $nonce, "delete_post-{$_REQUEST['post_id']}" );

    In general, it is best to make the name for the action as specific as possible.

You must log in before being able to contribute a note or feedback.