wp_create_nonce( string|int $action = -1 ): string

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

Contents

Parameters

$action string|int Optional
Scalar value to add context to the nonce.

Default: -1

Top ↑

Return

string The token.

Top ↑

More Information

The function should be called using the init or any subsequent action hook. Calling it outside of an action hook can lead to problems, see the ticket #14024 for details.

Top ↑

Source

File: wp-includes/pluggable.php. View all references 

function wp_create_nonce( $action = -1 ) {
	$user = wp_get_current_user();
	$uid  = (int) $user->ID;
	if ( ! $uid ) {
		/** This filter is documented in wp-includes/pluggable.php */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	$token = wp_get_session_token();
	$i     = wp_nonce_tick( $action );

	return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
}

View on Trac View on GitHub

Top ↑

Hooks

Top ↑

Top ↑

Uses

Uses
Uses Description
wp_get_session_token() wp-includes/user.php

Retrieves the current session token from the logged_in cookie.
wp_nonce_tick() wp-includes/pluggable.php

Returns the time-dependent variable for nonce creation.
wp_hash() wp-includes/pluggable.php

Gets hash of given string.
wp_get_current_user() wp-includes/pluggable.php

Retrieves the current user object.
apply_filters() wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.
Show 1 more use Hide more uses

Top ↑

Used By

Used By
Used By Description
wp_block_theme_activate_nonce() wp-includes/theme-previews.php

Set a JavaScript constant for theme activation.
wp_refresh_metabox_loader_nonces() wp-admin/includes/misc.php

Refresh nonces used with meta boxes in the block editor.
WP_Site_Health::wp_cron_scheduled_check() wp-admin/includes/class-wp-site-health.php

Runs the scheduled event to check and update the latest site health status for the website.
WP_Privacy_Data_Removal_Requests_List_Table::column_email() wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php

Outputs the Actions column.
WP_Privacy_Data_Removal_Requests_List_Table::column_next_steps() wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php

Outputs the Next steps column.
wp_ajax_rest_nonce() wp-admin/includes/ajax-actions.php

Handles renewing the REST API nonce via AJAX.
WP_Privacy_Data_Export_Requests_List_Table::column_email() wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php

Actions column.
WP_Privacy_Data_Export_Requests_List_Table::column_next_steps() wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php

Displays the next steps column.
resume_theme() wp-admin/includes/theme.php

Tries to resume a single theme.
WP_Site_Health::get_test_rest_availability() wp-admin/includes/class-wp-site-health.php

Tests if the REST API is accessible.
WP_Site_Health::enqueue_scripts() wp-admin/includes/class-wp-site-health.php

Enqueues the site health scripts.
resume_plugin() wp-admin/includes/plugin.php

Tries to resume a single plugin.
WP_REST_Autosaves_Controller::prepare_item_for_response() wp-includes/rest-api/endpoints/class-wp-rest-autosaves-controller.php

Prepares the revision for the REST response.
wp_default_packages_inline_scripts() wp-includes/script-loader.php

Adds inline scripts required for the WordPress JavaScript packages.
wp_refresh_heartbeat_nonces() wp-admin/includes/misc.php

Adds the latest Heartbeat and REST-API nonce to the Heartbeat response.
WP_Customize_Manager::handle_load_themes_request() wp-includes/class-wp-customize-manager.php

Loads themes into the theme browsing/installation UI.
wp_localize_community_events() wp-includes/script-loader.php

Localizes community events data that needs to be passed to dashboard.js.
wp_ajax_install_theme() wp-admin/includes/ajax-actions.php

Handles installing a theme via AJAX.
wp_ajax_install_plugin() wp-admin/includes/ajax-actions.php

Handles installing a plugin via AJAX.
WP_Customize_Manager::get_nonces() wp-includes/class-wp-customize-manager.php

Gets nonces for the Customizer.
WP_Customize_Nav_Menus::filter_nonces() wp-includes/class-wp-customize-nav-menus.php

Adds a nonce for customizing menus.
rest_cookie_check_errors() wp-includes/rest-api.php

Checks for errors when using cookie-based authentication.
WP_Comments_List_Table::handle_row_actions() wp-admin/includes/class-wp-comments-list-table.php

Generates and displays row actions links.
WP_Media_List_Table::column_parent() wp-admin/includes/class-wp-media-list-table.php

Handles the parent column output.
WP_Customize_Widgets::refresh_nonces() wp-includes/class-wp-customize-widgets.php

Refreshes the nonce for widget updates.
WP_Customize_Background_Image_Control::enqueue() wp-includes/customize/class-wp-customize-background-image-control.php

Enqueue control related scripts/styles.
wp_image_editor() wp-admin/includes/image-edit.php

Loads the WP image-editing interface.
wp_refresh_post_nonces() wp-admin/includes/misc.php

Checks nonce expiration on the New/Edit Post screen and refresh if needed.
install_plugins_favorites_form() wp-admin/includes/plugin-install.php

Shows a username form for the favorites page.
_wp_dashboard_recent_comments_row() wp-admin/includes/dashboard.php

Outputs a row for the Recent Comments widget.
activate_plugin() wp-admin/includes/plugin.php

Attempts activation of plugin in a “sandbox” and redirects on success.
WP_Plugin_Install_List_Table::display_rows() wp-admin/includes/class-wp-plugin-install-list-table.php
compression_test() wp-admin/includes/template.php

Tests support for compressing JavaScript from PHP.
_list_meta_row() wp-admin/includes/template.php

Outputs a single row of public meta data in the Custom Fields meta box.
edit_form_image_editor() wp-admin/includes/media.php

Displays the image and editor in the post editor
get_media_item() wp-admin/includes/media.php

Retrieves HTML form for modifying the image attachment.
media_upload_form() wp-admin/includes/media.php

Outputs the legacy media upload form.
_admin_notice_post_locked() wp-admin/includes/post.php

Outputs the HTML for the notice to say that someone else is editing or has taken over editing of this post.
post_preview() wp-admin/includes/post.php

Saves a draft or manually autosaves for the purpose of showing a post preview.
wp_ajax_query_themes() wp-admin/includes/ajax-actions.php

Handles getting themes from themes_api() via AJAX.
wp_ajax_replyto_comment() wp-admin/includes/ajax-actions.php

Handles replying to a comment via AJAX.
wp_prepare_revisions_for_js() wp-admin/includes/revision.php

Prepare revisions for JavaScript.
Custom_Image_Header::step_1() wp-admin/includes/class-custom-image-header.php

Displays first step of custom header image page.
wp_heartbeat_settings() wp-includes/general-template.php

Default settings for heartbeat.
wp_nonce_url() wp-includes/functions.php

Retrieves URL with nonce added to URL query.
wp_nonce_field() wp-includes/functions.php

Retrieves or display nonce hidden field for forms.
wp_plupload_default_settings() wp-includes/media.php

Prints default Plupload arguments.
wp_prepare_attachment_for_js() wp-includes/media.php

Prepares an attachment post object for JS, where it is expected to be JSON-encoded and fit into an Attachment model.
wp_enqueue_media() wp-includes/media.php

Enqueues all scripts, styles, settings, and templates necessary to use all media JS APIs.
WP_Customize_Header_Image_Control::enqueue() wp-includes/customize/class-wp-customize-header-image-control.php
wp_default_scripts() wp-includes/script-loader.php

Registers all WordPress scripts.
Show 46 more used by Hide more used by

Top ↑

Changelog

Changelog
Version Description
4.0.0 Session tokens were integrated with nonce creation.
2.0.3 Introduced.

Top ↑

User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 9You must log in to vote on the helpfulness of this note
    Contributed by Codex

    Example
    In this simple example, we create an nonce and use it as one of the GET query parameters in a URL for a link. When the user clicks the link they are directed to a page where a certain action will be performed (for example, a post might be deleted). On the target page the nonce is verified to insure that the request was valid (this user really clicked the link and really wants to perform this action).

    /*
 * Step A: Create an nonce for a link.
 * We pass it as a GET parameter.
 * The target page will perform some action based on the 'do_something' parameter.
 */
$nonce = wp_create_nonce( 'my-nonce' );
?>
<a href='myplugin.php?do_something=some_action&_wpnonce=<?php echo esc_attr( $nonce ); ?>'><?php esc_html_e( 'Do some action', 'textdomain' ); ?></a>

[php]
/*
 * Step B: This code would go in the target page.
 * We need to verify the nonce.
 */
$nonce = $_REQUEST['_wpnonce'];
if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) {
	// This nonce is not valid.
	die( __( 'Security check', 'textdomain' ) ); 
} else {
	// The nonce was valid.
	// Do stuff here.
}

    In the above example we simply called our nonce my-nonce. It is best to choose a name for the nonce that is specific to the action. For example, if we were to create an nonce that would be part of a request to delete a post, we might call it delete_post. Then to make it more specific, we could append the ID of the particular post that the nonce was for. For example delete_post-5 for the post with ID 5.

    wp_create_nonce( 'delete_post-' . $post_id );

    Then we would verify the nonce like this:

    wp_verify_nonce( $nonce, "delete_post-{$_REQUEST['post_id']}" );

    In general, it is best to make the name for the action as specific as possible.

You must log in before being able to contribute a note or feedback.