Reputation: 1060
When to use a WordPress Nonce
My WordPress plugin, Ajax load More currently uses a nonce variable with a call to admin-ajax.php on the front end which helps protect URLs from certain types of misuse, malicious or otherwise.
The issue that I'm having is various caching plugins such as WP Super Cache, WP Fastest Cache and W3 Total Cache are caching the nonce variable and this is causing errors when the plugin tries to verify the nonce.
My question is, do I need the nonce verification?
The plugin is only retrieving post data using a WP_query() and not sending anything to the DB so it seems to me like it might be overkill.
Upvotes: 1
Views: 1372
Answers (1)
Reputation: 165271
"Nonce verification" is used to protect against Cross-Site-Request-Forgery (CSRF) Attacks. I use it in quotes since wordpress doesn't actually generate nonces (number-used-once), but instead re-uses them.
In short, it's to be sure the request came from your domain and not an attackers. The nonce "proves" that the requester has secret information that the browser will prevent others from having.
Do you need protection? If the request does something, then yes. Meaning if you're creating or modifying anything, then you want some form of protection. The browser will protect read requests for you, so you don't need to worry about them.
For more information (a blog post I wrote).
Upvotes: 1
Related Questions
- Wordpress nonce check always false
- When not to cache AJAX requests?
- Wordpress Auth + Nonces + Ajax + No Templating - Cookie nonce is invalid
- how to add wp nonce to simple ajax function in wordpress
- Is it a vulnerability to create a nonce and output it as a data-attribute?
- Using Nonce with Ajax in WordPress Plugin
- ajax nonce wordpress security. Can I use this to protect my json data from scraping?
- Security - Ajax & Nonce use
- PHP - Is it better to set session cache limiter to nocache or use jQuery ajax cache:false?
- A nonce for each function or one for all AJAX calls?