Where to use nonce

  • I am learning WordPress Plugin Development. My Code is like below.

    
    class Admin
    {
        
        public function __construct()
        {        
            add_action( 'admin_menu', [$this,'news_meta_boxes'] );
        }
    
        public function news_meta_boxes()
        {
            add_meta_box('news_settings', 'News Settings', [ $this, 'post_settings_html' ], 'news', 'normal', 'default');
            add_meta_box('display_settings', 'Display Settings', [ $this, 'display_settings_html' ], 'news', 'normal', 'default');
            add_meta_box('style_settings', 'Color Settings', [ $this, 'style_settings_html' ], 'news', 'normal', 'default');
        }
        
    
        public function post_settings_html($post)
        {
            wp_nonce_field(basename(__FILE__), 'news_nonce');
        }
    
    
        public function display_settings_html($post)
        {
            
            wp_nonce_field(basename(__FILE__), 'news_nonce');
        }
    

        public function style_settings_html($post)
        {
            wp_nonce_field(basename(__FILE__), 'news_nonce');
        }
    }

    Should I use wp_nonce_field in every Metabox call back function ?

    • This topic was modified 2 years, 4 months ago by mabufoysal.
    • This topic was modified 2 years, 4 months ago by mabufoysal.
Viewing 2 replies - 1 through 2 (of 2 total)

  • You should use nonces whenever a link, form or AJAX request generates a URL that unauthorised third parties could use to send the same request. The correctly implemented nonce ensures via the WordPress cookie that these third parties cannot call up this URL.

    With the metaboxes, I think a form is used which is sent via POST. If the URL used for the file is not critical, you can do without this information. Another tip would be to see how other metaboxes do it.

    Take a look at the instructions for this, where it is described in more detail: https://codex.www.ads-software.com/WordPress_Nonces

    Moderator bcworkz

    (@bcworkz)

    It’s worth noting that a WP nonce is not a true nonce (Number used ONCE) as the same token can be used multiple times within a limited time frame. For usage where maximum security is important, consider implementing a true nonce scheme where the token can truly only be used once.

    In the case of metaboxes, the form they appear in should be sending and verifying its own nonce, so repeating a similar process in a metabox is redundant. But if it’s unclear if this is happening, there’s no harm in being redundant when it comes to security.

    Additionally, if your metabox should save its data under a request separate from the main form (such as via Ajax), then you must include your own nonce in the request.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Where to use nonce’ is closed to new replies.