How to secure wordpress plugins: Part-2


In the previous section about user, you learned how to check that people have authority before they can perform an operation, and doing so, you protect their blog against non-privileged users. But you also need to protect users from themselves.

Authority versus Intention

When you are logged into your wordpress install, you can click links that performs various actions, such as a delete a post, update settings, or create a category. Before Proceeding, all these operations should verify that you are actually logged in and save sufficient permission, using the function current_user_can(). They verify that you have authority.

Now imagine people malicious crafting a link that would delete a post on your blog. They could not use it themselves, of course, because they have no admin account on your blog and thus, no authority. But what if they trick you into clicking on this link? Because you are logged in, the action would occur, and the post would be deleted. You have authority but no intention. The malicious users just completed a cross site request forgery, or CSRF.

To trick people into clicking a link o their own site is trivial. For instance, hide the link with a url shortner as and share it via messaging with a compelling message “look at this pic, very funny”. In the age of Twitter and facebook, CSRF attacks are flourishing.

WordPress has built-in solution to prevent these attacks.

What is Nonce?

In computer language, a nonce, or cryptographic nonce, is the abbreviation of “Number used once”. In WordPress, it is short and apparently random string such as a password, which is specicifc to the following:

  • One wordpress user
  • One action (delete, update, save and such).
  • One object (a post, a link, a plugin, a plugin setting, and such).
  • One time frame of 24 hour.

For example, the link to delete the post #43 in your wordpress blog could be something such as . When you click that link, wordpress verifies that this nonce meets all these specifications before actually deleting the link.

Most important, a nonce cannot be guessed by a malicious user, and loading a link without the correct nonce guesses nowhere.

How to create verify nonce?

WordPress employs two different functions to create nonces in forms, as hidden fields, or in urls, as GET parameters. To become acquainted with nonces, you can code a useful plugin to enhance wordpress native tags. Management features. This plugin identifiers post tags not used in any post and enables you to either rename or delete them. Call this plugin Unused Tags and the prefix skdi_utags.


Creating nonce url

To create a nonce to a url, just like in the previous example with links deleting a post url function wp_nonce_url() as follows:


The first parameter $url is a string of the uri address to which you want to append a nonce in the query string. The link in the Unsed Tags plugin to delete a link will be of the form,  in this url notice $action parameter could be ‘skdi_utags-delete_tag6’.

The nonce action can be any string, but to make it unique to your plugin and one action one object (besides the current user and the 24-hour window), it is good for practice to adhere to the plugin-action_object.

To sum it up, in your plugin, given a tag ID &id, the code to generate a nonce protected URL to delete this tag will be the following:


To craft the delete link, you have used the handy function add_query_arg(), which adds to the current URL the query parameters defined in its array parameters. In other words, it adds ?skdi_action=delete&id=6, or &skdi_action=delete&id=6 if the current URL already has a query string.