wp_nonce_url( string $actionurl, int|string $action = -1, string $name = '_wpnonce' ): string

Retrieves URL with nonce added to URL query.

Parameters
Return
Source
Related
- Uses
- Used By
Changelog
User Contributed Notes

Parameters

$actionurl string Required: URL to add nonce action.
$action int|string Optional: Nonce action name.

Default: -1
$name string Optional: Nonce name. Default '_wpnonce'.

Default: '_wpnonce'

Top ↑

Return

string Escaped URL with nonce action added.

Top ↑

Source

File: wp-includes/functions.php. View all references

function wp_nonce_url( $actionurl, $action = -1, $name = '_wpnonce' ) {
	$actionurl = str_replace( '&amp;', '&', $actionurl );
	return esc_html( add_query_arg( $name, wp_create_nonce( $action ), $actionurl ) );
}

View on Trac View on GitHub

Top ↑

Uses
Uses	Description
wp_create_nonce() wp-includes/pluggable.php	Creates a cryptographic token tied to a specific action, user, user session, and window of time.
esc_html() wp-includes/formatting.php	Escaping for HTML blocks.
add_query_arg() wp-includes/functions.php	Retrieves a modified URL query string.

Used By

Used By
Used By	Description
core_auto_updates_settings() wp-admin/update-core.php	Display WordPress auto-updates settings.
Plugin_Installer_Skin::do_overwrite() wp-admin/includes/class-plugin-installer-skin.php	Check if the plugin can be overwritten and output the HTML for overwriting a plugin on upload.
Theme_Installer_Skin::do_overwrite() wp-admin/includes/class-theme-installer-skin.php	Check if the theme can be overwritten and output the HTML for overwriting a theme on upload.
WP_MS_Themes_List_Table::column_autoupdates() wp-admin/includes/class-wp-ms-themes-list-table.php	Handles the auto-updates column output.
WP_Privacy_Data_Removal_Requests_List_Table::column_email() wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php	Actions column.
WP_Privacy_Data_Removal_Requests_List_Table::column_next_steps() wp-admin/includes/class-wp-privacy-data-removal-requests-list-table.php	Next steps column.
WP_Privacy_Data_Export_Requests_List_Table::column_email() wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php	Actions column.
WP_Privacy_Data_Export_Requests_List_Table::column_next_steps() wp-admin/includes/class-wp-privacy-data-export-requests-list-table.php	Displays the next steps column.
wp_admin_bar_recovery_mode_menu() wp-includes/admin-bar.php	Adds a link to exit recovery mode when Recovery Mode is active.
wp_recovery_mode_nag() wp-admin/includes/update.php	Displays a notice when the user is in recovery mode.
WP_Site_Health::get_test_https_status() wp-admin/includes/class-wp-site-health.php	Tests if the site is serving content over HTTPS.
do_block_editor_incompatible_meta_box() wp-admin/includes/template.php	Renders a “fake” meta box with an information message, shown on the block editor, when an incompatible meta box is found.
wp_load_press_this() wp-admin/press-this.php
wp_ajax_delete_plugin() wp-admin/includes/ajax-actions.php	Ajax handler for deleting a plugin.
wp_ajax_delete_theme() wp-admin/includes/ajax-actions.php	Ajax handler for deleting a theme.
WP_Posts_List_Table::handle_row_actions() wp-admin/includes/class-wp-posts-list-table.php	Generates and displays row action links.
WP_Links_List_Table::handle_row_actions() wp-admin/includes/class-wp-links-list-table.php	Generates and displays row action links.
WP_MS_Themes_List_Table::column_name() wp-admin/includes/class-wp-ms-themes-list-table.php	Handles the name column output.
WP_MS_Sites_List_Table::handle_row_actions() wp-admin/includes/class-wp-ms-sites-list-table.php	Generates and displays row action links.
WP_Terms_List_Table::handle_row_actions() wp-admin/includes/class-wp-terms-list-table.php	Generates and displays row action links.
WP_MS_Users_List_Table::handle_row_actions() wp-admin/includes/class-wp-ms-users-list-table.php	Generates and displays row action links.
wp_prepare_themes_for_js() wp-admin/includes/theme.php	Prepares themes for JavaScript.
delete_theme() wp-admin/includes/theme.php	Removes a theme.
get_theme_update_available() wp-admin/includes/theme.php	Retrieves the update link if there is a theme update available.
WP_Plugins_List_Table::single_row() wp-admin/includes/class-wp-plugins-list-table.php
Theme_Upgrader_Skin::after() wp-admin/includes/class-theme-upgrader-skin.php	Action to perform following a single theme update.
Theme_Installer_Skin::after() wp-admin/includes/class-theme-installer-skin.php	Action to perform following a single theme install.
Plugin_Installer_Skin::after() wp-admin/includes/class-plugin-installer-skin.php	Action to perform following a plugin install.
Plugin_Upgrader_Skin::after() wp-admin/includes/class-plugin-upgrader-skin.php	Action to perform following a single plugin update.
WP_Upgrader_Skin::request_filesystem_credentials() wp-admin/includes/class-wp-upgrader-skin.php	Displays a form to the user to request for their FTP/SSH details in order to connect to the filesystem.
WP_Theme_Install_List_Table::install_theme_info() wp-admin/includes/class-wp-theme-install-list-table.php	Prints the info for a theme (to be used in the theme installer modal).
WP_Theme_Install_List_Table::single_row() wp-admin/includes/class-wp-theme-install-list-table.php	Prints a theme from the WordPress.org API.
wp_plugin_update_row() wp-admin/includes/update.php	Displays update information for a plugin.
wp_theme_update_row() wp-admin/includes/update.php	Displays update information for a theme.
install_plugin_install_status() wp-admin/includes/plugin-install.php	Determines the status we can perform on a plugin.
wp_dashboard_plugins_output() wp-admin/includes/deprecated.php	Display plugins text for the WordPress news widget.
delete_plugins() wp-admin/includes/plugin.php	Removes directory and files of a plugin for a list of plugins.
wp_import_upload_form() wp-admin/includes/template.php	Outputs the form used by the importers to accept the data to be imported.
WP_Themes_List_Table::display_rows() wp-admin/includes/class-wp-themes-list-table.php
WP_Users_List_Table::single_row() wp-admin/includes/class-wp-users-list-table.php	Generate HTML for a single row on the users.php admin panel.
get_media_item() wp-admin/includes/media.php	Retrieves HTML form for modifying the image attachment.
_admin_notice_post_locked() wp-admin/includes/post.php	Outputs the HTML for the notice to say that someone else is editing or has taken over editing of this post.
wp_prepare_revisions_for_js() wp-admin/includes/revision.php	Prepare revisions for JavaScript.
link_submit_meta_box() wp-admin/includes/meta-boxes.php	Displays link create form fields.
wp_link_manager_disabled_message() wp-admin/includes/bookmark.php	Outputs the ‘disabled’ message for the WordPress Link Manager.
WP_Media_List_Table::_get_row_actions() wp-admin/includes/class-wp-media-list-table.php
Walker_Nav_Menu_Edit::start_el() wp-admin/includes/class-walker-nav-menu-edit.php	Start the element output.
do_core_upgrade() wp-admin/update-core.php	Upgrade WordPress core display.
do_dismiss_core_update() wp-admin/update-core.php	Dismiss a core update.
do_undismiss_core_update() wp-admin/update-core.php	Undismiss a core update.
wp_logout_url() wp-includes/general-template.php	Retrieves the logout URL.
get_delete_post_link() wp-includes/link-template.php	Retrieves the delete posts link for post.

Show 47 more used by Hide more used by

Top ↑

Changelog
Version	Description
2.0.4	Introduced.

User Contributed Notes

Contributed by Benjamin Intal — 7 years ago

Note that wp_nonce_url escapes & to & and may cause links or redirects to become incorrect.

// Sample URL, note the & in there
$url = 'http://localhost/?arg1=value1&arg2=value2';

// This will show http://localhost/?arg1=value1&amp;amp;arg2=value2&amp;amp;_wpnonce=abcdef
echo wp_nonce_url( $url, 'action' );

// This will return http://localhost/?arg1=value1&arg2=value2&_wpnonce=abcdef
echo add_query_arg( '_wpnonce', wp_create_nonce( 'action' ), $url );

Contributed by Codex — 7 years ago

Example

Plugin authors can safely add links that perform tasks using a combination of wp_nonce_url() and admin_url().
For instance, start by creating the link users can click to do something interesting:

function my_plugin_do_something () {
?>
<h2><?php esc_html_e('My Plugin Admin Screen', 'my-plugin-textdomain');?></h2>
<p>
    <a href="<?php print wp_nonce_url(admin_url('options.php?page=my_plugin_settings'), 'doing_something', 'my_nonce');?>"
        class="button button-primary"><?php esc_html_e('Do Something!', 'my-plugin-textdomain');?></a>
    <span class="description"><?php esc_html_e('This button does something interesting.', 'my-plugin-textdomain');?></span>
</p>
<?php
}

Then, to detect when the user clicks the link, check the nonce validity using wp_verify_nonce() in the function you defined when you called add_menu_page() or one of its Administration Menus wrappers. If the nonce isn’t valid, the link wasn’t clicked, so display the link. Otherwise, do “something interesting.”

add_action('admin_menu', 'add_my_plugin_admin_screen');
function add_my_plugin_admin_screen () {
    add_options_page(
        __('My Plugin Settings', 'my-plugin-textdomain'),
        __('My Plugin', 'my-plugin-textdomain'),
        'manage_options',
        'my_plugin_settings',
        'my_plugin_do_something'
    );
}

function my_plugin_do_something () {
    if (!isset($_GET['my_nonce']) || !wp_verify_nonce($_GET['my_nonce'], 'doing_something')) {
?>
<h2><?php esc_html_e('My Plugin Admin Screen', 'my-plugin-textdomain');?></h2>
<p>
    <a href="<?php print wp_nonce_url(admin_url('options.php?page=my_plugin_settings'), 'doing_something', 'my_nonce');?>"
        class="button button-primary"><?php esc_html_e('Do Something!', 'my-plugin-textdomain');?></a>
    <span class="description"><?php esc_html_e('This button does something interesting.', 'my-plugin-textdomain');?></span>
</p>
<?php
    } else {
        // User pressed "Do Something!" button, so
        // do something interesting.
    }
}

Note that the recommended “context” parameter of the nonce is used to disambiguate which button was pressed. If you make more than one button users can press, make sure each button has a different nonce name and/or context.

You must log in before being able to contribute a note or feedback.

Developer Resources

wp_nonce_url( string $actionurl, int|string $action = -1, string $name = '_wpnonce' ): string

Contents

Parameters

Return

Source

Changelog

User Contributed Notes