What is a WordPress Nonce? How Nonces Work in WordPress?

When you buy, sign up, or register through our links, we may earn a commission. Learn More ›

Understanding WordPress Nonces for Enhanced Security

In the realm of WordPress, a nonce represents a unique identifier or number that is utilized only once. This security measure is implemented within WordPress to safeguard both URLs and forms against exploitation by harmful cyber-attacks. Take, for instance, the process of moderating comments. When an action such as trashing or removing a comment is initiated, WordPress appends a nonce key directly to the URL, as demonstrated below:


Nonce Verification Process

Execution of a URL containing a nonce key triggers a verification procedure. Should this process not validate the nonce, WordPress responds by issuing a 403 Forbidden status along with a cautionary prompt, ‘Are you sure you want to do this?’.

This particular error message may surface on any screen where nonce verification is unsuccessful.

Diagnosing the ‘Are You Sure You Want to Do This?’ Error

One prevalent reason for encountering this error is the presence of a plugin or theme that has not been coded with nonce verification in mind. To resolve such an issue, users are advised to deactivate all plugins and then reactivate them sequentially to identify the problematic one. Similarly, for themes, reverting to a default theme and attempting to replicate the error can reveal whether the error was due to the previously active theme.

Nonce’s Role in WordPress Security

Nonces serve as a critical component of the security framework for WordPress operations that involve executing actions through query strings in URLs. WordPress generates these unique nonces using the NONCE_SALT and NONCE_KEY. These, along with other distinctive keys, are securely stored within the wp-config.php file and are distinct for each WordPress installation.