check_admin_referer() WordPress Function

The check_admin_referer() function is a security measure that helps to prevent cross-site request forgery (CSRF) attacks. This function checks the nonce (number used once) value in the current HTTP request against the nonce value that was stored in the user's session. If the two values match, then the request is considered to be valid and the function returns true. Otherwise, the function returns false and an error message is displayed.

check_admin_referer( int|string $action = -1, string $query_arg = '_wpnonce' ) #

Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.

Contents

Description

This function ensures the user intends to perform a given action, which helps protect against clickjacking style attacks. It verifies intent, not authorisation, therefore it does not verify the user’s capabilities. This should be performed with current_user_can() or similar.

If the nonce value is invalid, the function will exit with an "Are You Sure?" style message.

Top ↑

Parameters

$action

(int|string)(Optional)The nonce action.

Default value: -1

$query_arg

(string)(Optional) Key to check for nonce in $_REQUEST.

Default value: '_wpnonce'

Top ↑

Return

(int|false) 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.

Top ↑

More Information

  • Using the function without the $action argument is obsolete and, as of Version 3.2, if WP_DEBUG is set to true, the function will die with an appropriate message (“You should specify a nonce action to be verified by using the first parameter.” is the default).
  • As of 2.0.1, the referer is checked only if the $action argument is not specified (or set to the default -1) as a backward compatibility fallback for not using a nonce. A nonce is prefered to unreliable referers and with $action specified the function behaves the same way as wp_verify_nonce() except that it dies after calling wp_nonce_ays() if the nonce is not valid or was not sent.

Top ↑

Source

File: wp-includes/pluggable.php

	function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
		if ( -1 === $action ) {
			_doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '3.2.0' );
		}

		$adminurl = strtolower( admin_url() );
		$referer  = strtolower( wp_get_referer() );
		$result   = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;

		/**
		 * Fires once the admin request has been validated or not.
		 *
		 * @since 1.5.1
		 *
		 * @param string    $action The nonce action.
		 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
		 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
		 */
		do_action( 'check_admin_referer', $action, $result );

		if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
			wp_nonce_ays( $action );
			die();
		}

		return $result;
	}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/l10n.php:__()

Retrieve the translation of $text.

wp-includes/pluggable.php:wp_verify_nonce()

Verifies that a correct security nonce was used with time limit.

wp-includes/pluggable.php:check_admin_referer

Fires once the admin request has been validated or not.

wp-includes/functions.php:_doing_it_wrong()

Mark something as being incorrectly called.

wp-includes/functions.php:wp_nonce_ays()

Display “Are You Sure” message to confirm the action being taken.

wp-includes/functions.php:wp_get_referer()

Retrieve referer from ‘_wp_http_referer’ or HTTP referer.

wp-includes/link-template.php:admin_url()

Retrieves the URL to the admin area for the current site.

wp-includes/plugin.php:do_action()

Calls the callback functions that have been added to an action hook.

Show 3 more usesHide more uses

Top ↑

Used By

Used By
Used ByDescription
wp-admin/includes/post.php:use_block_editor_for_post()

Returns whether the post can be edited in the block editor.

wp-admin/includes/class-wp-privacy-requests-table.php:WP_Privacy_Requests_Table::process_bulk_action()

Process bulk actions.

wp-admin/includes/privacy-tools.php:_wp_personal_data_handle_actions()

Handle list table actions.

wp-admin/includes/misc.php:set_screen_options()

Saves option for number of rows when listing posts, pages, comments, etc.

wp-admin/includes/dashboard.php:wp_dashboard_setup()

Registers dashboard widgets.

wp-admin/includes/media.php:media_upload_form_handler()

Handles form submissions for the legacy media uploader.

wp-admin/includes/media.php:wp_media_upload_handler()

Handles the process of uploading media.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::step_2()

Display second step of custom header image page.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::step_3()

Display third step of custom header image page.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::take_action()

Execute custom header modification.

wp-admin/includes/class-custom-background.php:Custom_Background::take_action()

Execute custom background modification.

wp-admin/includes/class-custom-background.php:Custom_Background::handle_upload()

Handle an Image upload for the background image.

Show 7 more used byHide more used by

Top ↑

Changelog

Changelog
VersionDescription
2.5.0The $query_arg parameter was added.
1.2.0Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More