Wordpress - How do WordPress Nonces Work?

If you read Wordpress Nonces in Codex, they have explained it pretty fairly. some of the key points are:

  1. always assume Nonces can be compromised.
  2. Nonces are a hash made up of numbers and letters.
  3. Wordpress Verifies any https request with both nonces and user cookies.

I believe point #3 is, in short, is how it works with WordPress. They have mentioned that use current_user_can() function instead of wordpress nonces.

As for the purpose, I believe, it serves basic purpose of multilayer security. Read this Are Nonces Useless


As you spotted correctly, wordpress do not use literal NONCEs, but a good enough approximation.

The implementation problem with the literal definition of nonce, is that you need to track all the numbers you have generate, especially if they are truly random. This mean to store in the DB the generated nonce, which means that there will be a DB write on every admin page refresh, which might strain the server.

Wordpress compromise is to generate the nonce as a hashed value of the current day, using a secret hash key and a user sensitive context. This way the window of a possible attack is limited to 24 hours, and it is hard to guess the nonces. There is still a problem of interception if your site is on HTTP, and you do any admin while on public WiFi networks, but in that case your whole authentication is exposed and nonce exposure is the least of your problems.

Tags:

Security

Nonce