WordPress Security: Use Nonce to protect themes and plugin code

Protecting the security of WordPress themes or plug-in code is crucial and can effectively prevent attacks from malicious users. We've covered before how to clean, escape, and validate form data in WordPress, and how to use VIP scanner to improve the quality of WordPress themes. Today, we will explore how Nonce (one-time digital) can help keep WordPress themes and plugins secure.

Key Points

• WordPress Nonce, or "one-time use number", is a unique security token used to enhance the security of WordPress websites by verifying user requests and preventing malicious attempts. They are particularly useful in preventing cross-site request forgery (CSRF) attacks.
• Nonce works by generating a unique token for each user session, form submission, or AJAX request. This token is then verified when processing the request, and if it does not match, the request is rejected. This makes it difficult for attackers to predict or abuse the token.
• Creating Nonce in WordPress is achieved by using the WordPress function wp_create_nonce(), which accepts a single string parameter representing the operation to be protected. Verification Nonce is done using the wp_verify_nonce() function, which accepts two parameters: the Nonce to be verified and the associated operation.
• Nonce can be used for AJAX requests in WordPress, adding an additional layer of security to prevent CSRF attacks. Nonce is also user-specific, providing an additional layer of security by ensuring that Nonce created for one user is invalid for another.

What is WordPress Nonce?

WordPress Nonce is defined as:

…A "one-time use number" to help protect URLs and forms from certain types of abuse (malicious or otherwise). http://ipnx.cn/link/c5af1dfde10402285102771ad64b3dac

While in WordPress, Nonce is not a technically number (it is a hash of letters and numbers), it does help prevent malicious users from running actions.

WordPress Nonce's work is divided into two parts:

• Create Nonce (hash value), submit it through form or action, and
• Verify Nonce, then accept form data or run the action.

For example, when you delete a post in the WordPress admin screen, you will notice that the URL contains a _wpnonce parameter:

http://ipnx.cn/link/18175d262a01ebf04bc03e38e48e3ffc

The routine to delete a post will check if post 542 has a Nonce value of a03ac85772 before deleting the post. If Nonce does not exist or does not match the expected value, the post will not be deleted.

This prevents malicious users from potentially deleting large numbers of posts. For example, the following will not work because Nonce belongs to post ID 542:

http://ipnx.cn/link/322d830da1130169fb4ca1c7543799d0 http://ipnx.cn/link/dd4143061640d55fb312dd0ce8afa76e http://ipnx.cn/link/9e0f9113b44003201076a9fade1b72d8

Now let's see how to implement WordPress Nonce in a plugin.

Set up our WordPress plugin

Let's start with a basic plugin with its own settings screen. The settings screen has a field that can be submitted and saved in the WordPress options table.

Enter the following code into a new file in wp-content/plugins/implementing-wordpress-nonces/implementing-wordpress-nonces.php:

// ... (插件代碼，與原文相同) ...

Activate the plugin via WordPress Management> plugin screen and you will see a new Nonces menu item:

Click this item and you will be taken to the settings screen, with only one field:

Enter any value, click "Save", if everything works, you will see the confirmation information and the value you just entered:

Demonstrate security vulnerability

Enter the following URL into your web browser address bar (replace the domain name with where you installed WordPress):

http://ipnx.cn/link/0e143c3bef0f7759c230664c4dc905f8

Attention what happened? The value is simply saved as abc, just directly access the URL and log in to WordPress:

While we can use $_POST in our code instead of $_REQUEST (we use $_REQUEST to demonstrate security issues more easily), this doesn't help - malicious users can still use themselves or induce you to click on the link Lets you send a POST request to this screen, resulting in a change in option values.

This is called cross-site request forgery (or CSRF). Malicious websites, emails, applications, etc. will cause the user's web browser to perform unnecessary operations.

We will now create and verify WordPress Nonce to prevent this attack from becoming possible.

Protect our plug-ins with Nonce

As mentioned earlier, this process is divided into two steps: First, we need to create a Nonce that will be submitted with our form. Second, we need to verify the Nonce when submitting the form.

To create a Nonce field in our form, we can use wp_nonce_field():

Get or show Nonce hidden form fields... Used to verify that the content of the form request comes from the current site, not elsewhere...

Add the following code above our input button:

// ... (插件代碼，與原文相同) ...

wp_nonce_field Accept four parameters-the first two are the most important:

• $action: This determines the specific operation we are running and should be unique. It is best to use the plugin name as the prefix for the operation, as there may be multiple operations running. In this case, we are saving something, so we use implementing_wordpress_nonces_save
• $name: This determines the name of the hidden field created by this function. As mentioned above, we have used the plugin name as its prefix, so we named it implementing_wordpress_nonces_nonce

If we reload the settings screen, change our value and click Save, you will notice that the value will still change. We now need to implement the checking of the submitted Nonce field, using wp_verify_nonce( $name, $action ):

Verify that Nonce is correct and has not expired relative to the specified operation. This function is used to verify the Nonce sent in the current request, usually accessed via the $_REQUEST PHP variable.

Replace the "Save Settings" part of the admin_screen() function of our plugin with the following code:

wp_nonce_field( 'implementing_wordpress_nonces_save', 'implementing_wordpress_nonces_nonce' );

This code performs the following operations:

• First, it checks if we have submitted something.
• Then it checks if our Nonce field exists and, if so, try to verify the value of Nonce based on the action we expect.
• If the check passes, update the options.
• If the check fails, we will throw a 403 error with the message "Invalid Nonce specified".

To make sure our Nonce is being created and verified, let's try again to access our "malicious" direct URL:

http://ipnx.cn/link/0e143c3bef0f7759c230664c4dc905f8.

If our Nonce is implemented and is being verified, you will see an "Invalid Nonce Specification" notification:

...(The rest is the same as the original text, but the language and expression are adjusted in detail to keep the original intention unchanged)....

The above is the detailed content of What Are WordPress Nonces?. For more information, please follow other related articles on the PHP Chinese website!