check_ajax_referer() WordPress Function

The check_ajax_referer() function is used to verify that an AJAX request is valid and coming from the correct source. This function is important for security purposes, as it helps to prevent cross-site request forgery (CSRF) attacks.

check_ajax_referer( int|string $action = -1, false|string $query_arg = false, bool $die = true ) #

Verifies the Ajax request to prevent processing requests external of the blog.

Contents

Parameters

$action

(int|string)(Optional)Action nonce.

Default value: -1

$query_arg

(false|string)(Optional) Key to check for the nonce in $_REQUEST (since 2.5). If false, $_REQUEST values will be evaluated for '_ajax_nonce', and '_wpnonce' (in that order).

Default value: false

$die

(bool)(Optional) Whether to die early when the nonce cannot be verified.

Default value: true

Top ↑

Return

(int|false) 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.

Top ↑

More Information

Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can() and always assume that nonces can be compromised.

 

This function can be replaced via plugins. If plugins do not redefine these functions, then this will be used instead.

If $query_arg is not specified (i.e. defaults to false), then the function will look for the nonce in '_ajax_nonce'. If that is not set, then it will assume that the nonce is in '_wpnonce', regardless of whether that query arg actually exists.

If $die is set to true, execution of the script will be stopped if the nonce cannot be verified, and the output will be '-1'.

Top ↑

Source

File: wp-includes/pluggable.php

	function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
		if ( -1 == $action ) {
			_doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '4.7.0' );
		}

		$nonce = '';

		if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) ) {
			$nonce = $_REQUEST[ $query_arg ];
		} elseif ( isset( $_REQUEST['_ajax_nonce'] ) ) {
			$nonce = $_REQUEST['_ajax_nonce'];
		} elseif ( isset( $_REQUEST['_wpnonce'] ) ) {
			$nonce = $_REQUEST['_wpnonce'];
		}

		$result = wp_verify_nonce( $nonce, $action );

		/**
		 * Fires once the Ajax request has been validated or not.
		 *
		 * @since 2.1.0
		 *
		 * @param string    $action The Ajax nonce action.
		 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
		 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
		 */
		do_action( 'check_ajax_referer', $action, $result );

		if ( $die && false === $result ) {
			if ( wp_doing_ajax() ) {
				wp_die( -1, 403 );
			} else {
				die( '-1' );
			}
		}

		return $result;
	}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/load.php:wp_doing_ajax()

Determines whether the current request is a WordPress Ajax request.

wp-includes/l10n.php:__()

Retrieve the translation of $text.

wp-includes/pluggable.php:wp_verify_nonce()

Verifies that a correct security nonce was used with time limit.

wp-includes/pluggable.php:check_ajax_referer

Fires once the Ajax request has been validated or not.

wp-includes/functions.php:_doing_it_wrong()

Mark something as being incorrectly called.

wp-includes/functions.php:wp_die()

Kills WordPress execution and displays HTML page with an error message.

wp-includes/plugin.php:do_action()

Calls the callback functions that have been added to an action hook.

Show 2 more usesHide more uses

Top ↑

Used By

Used By
Used ByDescription
wp-admin/includes/ajax-actions.php:wp_ajax_send_password_reset()

Ajax handler sends a password reset link.

wp-admin/includes/ajax-actions.php:wp_ajax_toggle_auto_updates()

Ajax handler to enable or disable plugin and theme auto-updates.

wp-admin/includes/ajax-actions.php:wp_ajax_media_create_image_subsizes()

Ajax handler for creating missing image sub-sizes for just uploaded images.

wp-admin/includes/ajax-actions.php:wp_ajax_health_check_get_sizes()

Ajax handler for site health check to get directories and database sizes.

wp-admin/includes/ajax-actions.php:wp_ajax_health_check_dotorg_communication()

Ajax handler for site health checks on server communication.

wp-admin/includes/ajax-actions.php:wp_ajax_health_check_background_updates()

Ajax handler for site health checks on background updates.

wp-admin/includes/ajax-actions.php:wp_ajax_health_check_loopback_requests()

Ajax handler for site health checks on loopback requests.

wp-admin/includes/ajax-actions.php:wp_ajax_health_check_site_status_result()

Ajax handler for site health check to update the result status.

wp-admin/includes/ajax-actions.php:wp_ajax_wp_privacy_export_personal_data()

Ajax handler for exporting a user’s personal data.

wp-admin/includes/ajax-actions.php:wp_ajax_wp_privacy_erase_personal_data()

Ajax handler for erasing personal data.

wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::handle_load_themes_request()

Loads themes into the theme browsing/installation UI.

wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::handle_override_changeset_lock_request()

Removes changeset lock when take over request is sent via Ajax.

wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::handle_dismiss_autosave_or_lock_request()

Deletes a given auto-draft changeset or the autosave revision for a given changeset or delete changeset lock.

wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::handle_changeset_trash_request()

Handles request to trash a changeset.

wp-admin/includes/ajax-actions.php:wp_ajax_get_community_events()

Handles Ajax requests for community events

wp-includes/class-wp-customize-nav-menus.php:WP_Customize_Nav_Menus::ajax_insert_auto_draft_post()

Ajax handler for adding a new auto-draft post.

wp-admin/includes/ajax-actions.php:wp_ajax_search_install_plugins()

Ajax handler for searching plugins to install.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_plugin()

Ajax handler for deleting a plugin.

wp-admin/includes/ajax-actions.php:wp_ajax_search_plugins()

Ajax handler for searching plugins.

wp-admin/includes/ajax-actions.php:wp_ajax_install_theme()

Ajax handler for installing a theme.

wp-admin/includes/ajax-actions.php:wp_ajax_update_theme()

Ajax handler for updating a theme.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_theme()

Ajax handler for deleting a theme.

wp-admin/includes/ajax-actions.php:wp_ajax_install_plugin()

Ajax handler for installing a plugin.

wp-admin/includes/ajax-actions.php:wp_ajax_get_post_thumbnail_html()

Ajax handler for retrieving HTML for the featured image.

wp-admin/includes/ajax-actions.php:wp_ajax_save_wporg_username()

Ajax handler for saving the user’s WordPress.org username.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_inactive_widgets()

Ajax handler for removing inactive widgets.

wp-includes/class-wp-customize-nav-menus.php:WP_Customize_Nav_Menus::ajax_load_available_items()

Ajax handler for loading available menu items.

wp-includes/class-wp-customize-nav-menus.php:WP_Customize_Nav_Menus::ajax_search_available_items()

Ajax handler for searching available menu items.

wp-admin/includes/ajax-actions.php:wp_ajax_crop_image()

Ajax handler for cropping an image.

wp-admin/includes/ajax-actions.php:wp_ajax_update_plugin()

Ajax handler for updating a plugin.

wp-admin/includes/class-custom-background.php:Custom_Background::ajax_background_add()

Ajax handler for adding custom background context to an attachment.

wp-admin/includes/ajax-actions.php:wp_ajax_save_attachment_order()

Ajax handler for saving the attachment order.

wp-admin/includes/ajax-actions.php:wp_ajax_send_attachment_to_editor()

Ajax handler for sending an attachment to the editor.

wp-admin/includes/ajax-actions.php:wp_ajax_send_link_to_editor()

Ajax handler for sending a link to the editor.

wp-admin/includes/ajax-actions.php:wp_ajax_save_user_color_scheme()

Ajax handler for auto-saving the selected color scheme for a user’s own profile.

wp-admin/includes/ajax-actions.php:wp_ajax_save_widget()

Ajax handler for saving a widget.

wp-admin/includes/ajax-actions.php:wp_ajax_upload_attachment()

Ajax handler for uploading attachments

wp-admin/includes/ajax-actions.php:wp_ajax_image_editor()

Ajax handler for image editing.

wp-admin/includes/ajax-actions.php:wp_ajax_set_post_thumbnail()

Ajax handler for setting the featured image.

wp-admin/includes/ajax-actions.php:wp_ajax_wp_fullscreen_save_post()

Ajax handler for saving posts from the fullscreen editor.

wp-admin/includes/ajax-actions.php:wp_ajax_wp_remove_post_lock()

Ajax handler for removing a post lock.

wp-admin/includes/ajax-actions.php:wp_ajax_save_attachment()

Ajax handler for updating attachment attributes.

wp-admin/includes/ajax-actions.php:wp_ajax_save_attachment_compat()

Ajax handler for saving backward compatible attachment attributes.

wp-admin/includes/ajax-actions.php:wp_ajax_add_menu_item()

Ajax handler for adding a menu item.

wp-admin/includes/ajax-actions.php:wp_ajax_add_meta()

Ajax handler for adding meta.

wp-admin/includes/ajax-actions.php:wp_ajax_add_user()

Ajax handler for adding a user.

wp-admin/includes/ajax-actions.php:wp_ajax_closed_postboxes()

Ajax handler for closed post boxes.

wp-admin/includes/ajax-actions.php:wp_ajax_hidden_columns()

Ajax handler for hidden columns.

wp-admin/includes/ajax-actions.php:wp_ajax_update_welcome_panel()

Ajax handler for updating whether to display the welcome panel.

wp-admin/includes/ajax-actions.php:wp_ajax_wp_link_ajax()

Ajax handler for internal linking.

wp-admin/includes/ajax-actions.php:wp_ajax_menu_locations_save()

Ajax handler for menu locations save.

wp-admin/includes/ajax-actions.php:wp_ajax_meta_box_order()

Ajax handler for saving the meta box order.

wp-admin/includes/ajax-actions.php:wp_ajax_get_permalink()

Ajax handler to retrieve a permalink.

wp-admin/includes/ajax-actions.php:wp_ajax_sample_permalink()

Ajax handler to retrieve a sample permalink.

wp-admin/includes/ajax-actions.php:wp_ajax_inline_save()

Ajax handler for Quick Edit saving a post from a list table.

wp-admin/includes/ajax-actions.php:wp_ajax_inline_save_tax()

Ajax handler for quick edit saving for a term.

wp-admin/includes/ajax-actions.php:wp_ajax_find_posts()

Ajax handler for querying posts for the Find Posts modal.

wp-admin/includes/ajax-actions.php:wp_ajax_widgets_order()

Ajax handler for saving the widgets order.

wp-admin/includes/ajax-actions.php:_wp_ajax_add_hierarchical_term()

Ajax handler for adding a hierarchical term.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_comment()

Ajax handler for deleting a comment.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_tag()

Ajax handler for deleting a tag.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_link()

Ajax handler for deleting a link.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_meta()

Ajax handler for deleting meta.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_post()

Ajax handler for deleting a post.

wp-admin/includes/ajax-actions.php:wp_ajax_trash_post()

Ajax handler for sending a post to the Trash.

wp-admin/includes/ajax-actions.php:wp_ajax_delete_page()

Ajax handler to delete a page.

wp-admin/includes/ajax-actions.php:wp_ajax_dim_comment()

Ajax handler to dim a comment.

wp-admin/includes/ajax-actions.php:wp_ajax_add_link_category()

Ajax handler for adding a link category.

wp-admin/includes/ajax-actions.php:wp_ajax_add_tag()

Ajax handler to add a tag.

wp-admin/includes/ajax-actions.php:wp_ajax_get_comments()

Ajax handler for getting comments.

wp-admin/includes/ajax-actions.php:wp_ajax_replyto_comment()

Ajax handler for replying to a comment.

wp-admin/includes/ajax-actions.php:wp_ajax_edit_comment()

Ajax handler for editing a comment.

wp-admin/includes/ajax-actions.php:wp_ajax_fetch_list()

Ajax handler for fetching a list table.

wp-admin/includes/ajax-actions.php:wp_ajax_wp_compression_test()

Ajax handler for compression testing.

wp-admin/includes/ajax-actions.php:wp_ajax_imgedit_preview()

Ajax handler for image editor previews.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::ajax_header_crop()

Gets attachment uploaded by Media Manager, crops it, then saves it as a new object. Returns JSON-encoded object details.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::ajax_header_add()

Given an attachment ID for a header image, updates its “last used” timestamp to now.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::ajax_header_remove()

Given an attachment ID for a header image, unsets it as a user-uploaded header image for the active theme.

wp-admin/includes/class-custom-background.php:Custom_Background::wp_set_background_image()
wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::save()

Handles customize_save WP Ajax request to save/update a changeset.

wp-includes/class-wp-customize-manager.php:WP_Customize_Manager::setup_theme()

Starts preview and customize theme.

wp-includes/class-wp-customize-widgets.php:WP_Customize_Widgets::wp_ajax_update_widget()

Updates widget settings asynchronously.

Show 77 more used byHide more used by

Top ↑

Changelog

Changelog
VersionDescription
2.0.3Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More