Wordpressframework~30 mins

Nonce verification in Wordpress - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Nonce Verification in WordPress

📖 Scenario: You are building a WordPress plugin that needs to securely handle form submissions. To protect against unauthorized requests, you will use WordPress nonces (numbers used once) to verify that the form submission is valid and comes from your site.

🎯 Goal: Build a simple WordPress plugin that creates a form with a nonce field, and then verifies the nonce when the form is submitted to ensure the request is safe.

📋 What You'll Learn

Create a nonce field with a specific action name

Add a form that submits data via POST

Verify the nonce on form submission using the same action name

Display a success or error message based on nonce verification

💡 Why This Matters

🌍 Real World

Nonce verification is essential in WordPress plugins and themes to protect forms and actions from malicious attacks like CSRF (Cross-Site Request Forgery).

💼 Career

Understanding nonce verification is important for WordPress developers to build secure plugins and themes that protect user data and site integrity.

Progress0 / 4 steps

Create a nonce field in the form

Create a function called myplugin_form that outputs a simple HTML form with method post. Inside the form, add a nonce field using wp_nonce_field with the action name myplugin_nonce_action and the nonce name myplugin_nonce.

Wordpress

Need a hint?

Use wp_nonce_field inside your form to create the nonce field with the exact action and name.

Add a form submission handler

Create a function called myplugin_handle_form that will process the form submission. Inside it, create a variable $nonce that gets the value from $_POST['myplugin_nonce']. This will be used to verify the nonce later.

Wordpress

';
    wp_nonce_field('myplugin_nonce_action', 'myplugin_nonce');
    echo '';
    echo '';
}

function myplugin_handle_form() {
    // Your code here
}
?>

Need a hint?

Use the null coalescing operator ?? to safely get the nonce from $_POST.

Verify the nonce in the form handler

Inside the myplugin_handle_form function, use wp_verify_nonce to check if $nonce is valid for the action myplugin_nonce_action. If the nonce is valid, set a variable $message to 'Nonce verified successfully.'. Otherwise, set $message to 'Nonce verification failed.'.

Wordpress

';
    wp_nonce_field('myplugin_nonce_action', 'myplugin_nonce');
    echo '';
    echo '';
}

function myplugin_handle_form() {
    $nonce = $_POST['myplugin_nonce'] ?? '';
    // Verify nonce and set message
    // Your code here
}
?>

Need a hint?

Use wp_verify_nonce with the nonce and the exact action name to check validity.

Display the form and message

Call myplugin_handle_form to process the form submission. Then call myplugin_form to display the form. After the form, if the variable $message is set, echo it inside a <p> tag.

Wordpress

';
    wp_nonce_field('myplugin_nonce_action', 'myplugin_nonce');
    echo '';
    echo '';
}

function myplugin_handle_form() {
    $nonce = $_POST['myplugin_nonce'] ?? '';
    if (wp_verify_nonce($nonce, 'myplugin_nonce_action')) {
        $message = 'Nonce verified successfully.';
    } else {
        $message = 'Nonce verification failed.';
    }
}

myplugin_handle_form();
myplugin_form();
// Your code here
?>

Need a hint?

Call the handler first to get the message, then display the form, then show the message safely.