wp_nonce_field() WordPress Function

The wp_nonce_field function is used to create a hidden form field with a unique nonce (number used once) value. This value is used to verify that the form submission came from the current site and not from a malicious third-party.

wp_nonce_field( int|string $action = -1, string $name = '_wpnonce', bool $referer = true, bool $echo = true ) #

Retrieve or display nonce hidden field for forms.

Contents

Description

The nonce field is used to validate that the contents of the form came from the location on the current site and not somewhere else. The nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce field in forms.

The $action and $name are optional, but if you want to have better security, it is strongly suggested to set those two parameters. It is easier to just call the function without any parameters, because validation of the nonce doesn’t require any parameters, but since crackers know what the default is it won’t be difficult for them to find a way around your nonce and cause damage.

The input name will be whatever $name value you gave. The input value will be the nonce creation value.

Top ↑

Parameters

$action

(int|string)(Optional) Action name.

Default value: -1

$name

(string)(Optional) Nonce name.

Default value: '_wpnonce'

$referer

(bool)(Optional) Whether to set the referer field for validation.

Default value: true

$echo

(bool)(Optional) Whether to display or return hidden form field.

Default value: true

Top ↑

Return

(string) Nonce field HTML markup.

Top ↑

Source

File: wp-includes/functions.php

function wp_nonce_field( $action = -1, $name = '_wpnonce', $referer = true, $echo = true ) {
	$name        = esc_attr( $name );
	$nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';

	if ( $referer ) {
		$nonce_field .= wp_referer_field( false );
	}

	if ( $echo ) {
		echo $nonce_field;
	}

	return $nonce_field;
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/formatting.php:esc_attr()

Escaping for HTML attributes.

wp-includes/pluggable.php:wp_create_nonce()

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

wp-includes/functions.php:wp_referer_field()

Retrieve or display referer hidden field for forms.

Top ↑

Used By

Used By
Used ByDescription
wp-admin/includes/post.php:the_block_editor_meta_boxes()

Renders the meta boxes forms.

wp-admin/includes/post.php:the_block_editor_meta_box_post_form_hidden_fields()

Renders the hidden form required for the meta boxes form.

wp-admin/includes/network.php:network_step1()

Prints step 1 for Network installation process.

wp-admin/includes/class-wp-screen.php:WP_Screen::render_screen_options()

Render the screen options tab.

wp-admin/includes/theme-install.php:install_themes_upload()
wp-admin/includes/class-wp-list-table.php:WP_List_Table::display_tablenav()

Generates the table navigation above or below the table

wp-admin/includes/misc.php:admin_color_scheme_picker()

Displays the default admin color scheme picker (Used in user-edit.php).

wp-admin/includes/class-wp-theme-install-list-table.php:WP_Theme_Install_List_Table::display()

Displays the theme install table.

wp-admin/includes/plugin-install.php:install_plugins_upload()

Displays a form to upload plugins from zip files.

wp-admin/includes/dashboard.php:_wp_dashboard_control_callback()

Outputs controls for the current dashboard widget.

wp-admin/includes/dashboard.php:wp_dashboard()

Displays the dashboard.

wp-admin/includes/dashboard.php:wp_dashboard_quick_press()

The Quick Draft widget display and creation of drafts.

wp-admin/includes/plugin.php:settings_fields()

Outputs nonce, action, and option_page fields for a settings page.

wp-admin/includes/template.php:find_posts_div()

Outputs the modal window used for attaching media to posts or pages in the media-listing screen.

wp-admin/includes/template.php:wp_comment_reply()

Outputs the in-line comment reply-to form in the Comments list table.

wp-admin/includes/template.php:_list_meta_row()

Outputs a single row of public meta data in the Custom Fields meta box.

wp-admin/includes/template.php:meta_form()

Prints the form in the Custom Fields meta box.

wp-admin/includes/class-wp-themes-list-table.php:WP_Themes_List_Table::display()

Displays the themes table.

wp-admin/includes/media.php:media_upload_type_form()

Outputs the legacy media upload form for a given media type.

wp-admin/includes/media.php:media_upload_type_url_form()

Outputs the legacy media upload form for external media.

wp-admin/includes/media.php:media_upload_gallery_form()

Adds gallery form to upload iframe.

wp-admin/includes/media.php:media_upload_library_form()

Outputs the legacy media upload form for the media library.

wp-admin/includes/meta-boxes.php:post_comment_meta_box()

Displays comments for post.

wp-admin/includes/meta-boxes.php:link_categories_meta_box()

Displays link categories form fields.

wp-admin/includes/meta-boxes.php:post_categories_meta_box()

Displays post categories form fields.

wp-admin/includes/class-wp-post-comments-list-table.php:WP_Post_Comments_List_Table::display()
wp-admin/includes/class-wp-comments-list-table.php:WP_Comments_List_Table::extra_tablenav()
wp-admin/includes/class-wp-comments-list-table.php:WP_Comments_List_Table::display()

Displays the comments table.

wp-admin/includes/class-wp-terms-list-table.php:WP_Terms_List_Table::inline_edit()

Outputs the hidden row displayed when inline editing

wp-admin/includes/file.php:request_filesystem_credentials()

Displays a form to the user to request for their FTP/SSH details in order to connect to the filesystem.

wp-admin/includes/class-wp-posts-list-table.php:WP_Posts_List_Table::inline_edit()

Outputs the hidden row displayed when inline editing

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::step_1()

Display first step of custom header image page.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::step_2()

Display second step of custom header image page.

wp-admin/includes/ms.php:confirm_delete_users()
wp-admin/update-core.php:list_core_update()

Lists available core updates.

wp-admin/update-core.php:list_plugin_updates()

Display the upgrade plugins form.

wp-admin/update-core.php:list_theme_updates()

Display the upgrade themes form.

wp-admin/update-core.php:list_translation_updates()

Display the update translations form.

wp-admin/includes/class-custom-background.php:Custom_Background::admin_page()

Display the custom background page.

wp-includes/ms-functions.php:signup_nonce_fields()

Adds a nonce field to the signup page.

wp-includes/comment-template.php:wp_comment_form_unfiltered_html_nonce()

Displays form token for unfiltered comments.

wp-includes/class-wp-editor.php:_WP_Editors::wp_link_dialog()

Dialog for internal linking.

Show 37 more used byHide more used by

Top ↑

Changelog

Changelog
VersionDescription
2.0.4Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More
Show More