Nonces are an important part of WordPress security, but they are often misunderstood or misused. They are a key part of what authorizes an HTTP request to your site, which works to keep your code secure. In this article, you’ll learn what nonces are, what a WordPress nonce is, how they can protect against certain types of attacks, what they can’t protect against, and how to use them.
What Is A WordPress Nonce
Nonces are cryptographic hashes that are used to verify that a request was made by the right person or client. Since nonces are constructed using a cryptographic hashing algorithm — md5, sha1, sha2, etc. — and some sort of secret data, it should be effectively impossible to create a fake nonce.
The word nonce means “number used once.” The one-time use is a key feature of the security of nonces. Even if you intercept a valid nonce, once it’s used it cannot be used again. This makes nonces useful for stopping replay attacks.
That said, WordPress nonces, are not true nonces, and they are valid for 12 hours, or the value of the “nonce_life” filter from when they are created. This means they can technically be used more than once,
Source: https://managewp.org/articles/13437/what-s-a-wordpress-nonce-and-how-to-use-them
source https://williechiu40.wordpress.com/2016/09/21/whats-a-wordpress-nonce-and-how-to-use-them/
No comments:
Post a Comment