wp_verify_nonce() WordPress Function

The wp_verify_nonce() function is a security measure that is used to verify the authenticity of a request. This function is typically used to protect against cross-site request forgery (CSRF) attacks. The wp_verify_nonce() function takes two arguments: the nonce to be verified, and the action to be checked. If the nonce is valid and the action is authorized, the function will return true. Otherwise, the function will return false.

wp_verify_nonce( string $nonce, string|int $action = -1 ) #

Verifies that a correct security nonce was used with time limit.

Contents

Description

A nonce is valid for 24 hours (by default).

Top ↑

Parameters

$nonce

(string)(Required)Nonce value that was used for verification, usually via a form field.

$action

(string|int)(Optional)Should give context to what is taking place and be the same when nonce was created.

Default value: -1

Top ↑

Return

(int|false) 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.

Top ↑

More Information

The function is used to verify the nonce sent in the current request usually accessed by the $_REQUEST PHP variable.

Nonces should never be relied on for authentication or authorization, access control. Protect your functions using current_user_can(), always assume Nonces can be compromised.

Top ↑

Source

File: wp-includes/pluggable.php

	function wp_verify_nonce( $nonce, $action = -1 ) {
		$nonce = (string) $nonce;
		$user  = wp_get_current_user();
		$uid   = (int) $user->ID;
		if ( ! $uid ) {
			/**
			 * Filters whether the user who generated the nonce is logged out.
			 *
			 * @since 3.5.0
			 *
			 * @param int    $uid    ID of the nonce-owning user.
			 * @param string $action The nonce action.
			 */
			$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
		}

		if ( empty( $nonce ) ) {
			return false;
		}

		$token = wp_get_session_token();
		$i     = wp_nonce_tick();

		// Nonce generated 0-12 hours ago.
		$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
		if ( hash_equals( $expected, $nonce ) ) {
			return 1;
		}

		// Nonce generated 12-24 hours ago.
		$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
		if ( hash_equals( $expected, $nonce ) ) {
			return 2;
		}

		/**
		 * Fires when nonce verification fails.
		 *
		 * @since 4.4.0
		 *
		 * @param string     $nonce  The invalid nonce.
		 * @param string|int $action The nonce action.
		 * @param WP_User    $user   The current user object.
		 * @param string     $token  The user's session token.
		 */
		do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );

		// Invalid nonce.
		return false;
	}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/pluggable.php:wp_verify_nonce_failed

Fires when nonce verification fails.

wp-includes/user.php:wp_get_session_token()

Retrieves the current session token from the logged_in cookie.

wp-includes/pluggable.php:wp_nonce_tick()

Returns the time-dependent variable for nonce creation.

wp-includes/pluggable.php:wp_hash()

Get hash of given string.

wp-includes/pluggable.php:nonce_user_logged_out

Filters whether the user who generated the nonce is logged out.

wp-includes/pluggable.php:wp_get_current_user()

Retrieve the current user object.

wp-includes/plugin.php:apply_filters()

Calls the callback functions that have been added to a filter hook.

wp-includes/plugin.php:do_action()

Calls the callback functions that have been added to an action hook.

Show 3 more usesHide more uses

Top ↑

Used By

Used By
Used ByDescription
wp-includes/class-wp-recovery-mode.php:WP_Recovery_Mode::handle_exit_recovery_mode()

Handles a request to exit Recovery Mode.

wp-admin/includes/file.php:wp_edit_theme_plugin_file()

Attempts to edit a file for a theme or plugin.

wp-includes/rest-api.php:rest_cookie_check_errors()

Checks for errors when using cookie-based authentication.

wp-includes/comment.php:wp_handle_comment_submission()

Handles the submission of a comment, usually posted to wp-comments-post.php via a comment form.

wp-admin/includes/ajax-actions.php:wp_ajax_destroy_sessions()

Ajax handler for destroying multiple open sessions for a user.

wp-admin/includes/class-wp-plugin-install-list-table.php:WP_Plugin_Install_List_Table::prepare_items()
wp-admin/includes/post.php:wp_autosave()

Saves a post submitted with XHR.

wp-admin/includes/ajax-actions.php:wp_ajax_heartbeat()

Ajax handler for the Heartbeat API.

wp-admin/includes/file.php:request_filesystem_credentials()

Displays a form to the user to request for their FTP/SSH details in order to connect to the filesystem.

wp-admin/includes/class-custom-image-header.php:Custom_Image_Header::step()

Get the current step.

wp-includes/pluggable.php:check_admin_referer()

Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.

wp-includes/pluggable.php:check_ajax_referer()

Verifies the Ajax request to prevent processing requests external of the blog.

wp-includes/canonical.php:redirect_canonical()

Redirects incoming links to the proper URL based on the site url.

wp-includes/revision.php:_show_post_preview()

Filters the latest content for preview from the post autosave.

wp-includes/ms-functions.php:signup_nonce_check()

Processes the signup nonce created in signup_nonce_fields().

Show 10 more used byHide more used by

Top ↑

Changelog

Changelog
VersionDescription
2.0.3Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More