WordPress Security: Use Nonce to protect themes and plugin code
Protecting the security of WordPress themes or plug-in code is crucial and can effectively prevent attacks from malicious users. We've covered before how to clean, escape, and validate form data in WordPress, and how to use VIP scanner to improve the quality of WordPress themes. Today, we will explore how Nonce (one-time digital) can help keep WordPress themes and plugins secure.
wp_create_nonce(), which accepts a single string parameter representing the operation to be protected. Verification Nonce is done using the wp_verify_nonce() function, which accepts two parameters: the Nonce to be verified and the associated operation. WordPress Nonce is defined as:
…A "one-time use number" to help protect URLs and forms from certain types of abuse (malicious or otherwise). https://www.php.cn/link/c5af1dfde10402285102771ad64b3dac
While in WordPress, Nonce is not a technically number (it is a hash of letters and numbers), it does help prevent malicious users from running actions.
WordPress Nonce's work is divided into two parts:
For example, when you delete a post in the WordPress admin screen, you will notice that the URL contains a _wpnonce parameter:
https://www.php.cn/link/18175d262a01ebf04bc03e38e48e3ffc
The routine to delete a post will check if post 542 has a Nonce value of a03ac85772 before deleting the post. If Nonce does not exist or does not match the expected value, the post will not be deleted.
This prevents malicious users from potentially deleting large numbers of posts. For example, the following will not work because Nonce belongs to post ID 542:
https://www.php.cn/link/322d830da1130169fb4ca1c7543799d0 https://www.php.cn/link/dd4143061640d55fb312dd0ce8afa76e https://www.php.cn/link/9e0f9113b44003201076a9fade1b72d8
Now let's see how to implement WordPress Nonce in a plugin.
Let's start with a basic plugin with its own settings screen. The settings screen has a field that can be submitted and saved in the WordPress options table.
Enter the following code into a new file in wp-content/plugins/implementing-wordpress-nonces/implementing-wordpress-nonces.php:
// ... (插件代码,与原文相同) ...
Activate the plugin via WordPress Management> plugin screen and you will see a new Nonces menu item:
Click this item and you will be taken to the settings screen, with only one field:
Enter any value, click "Save", if everything works, you will see the confirmation information and the value you just entered:
Enter the following URL into your web browser address bar (replace the domain name with where you installed WordPress):
https://www.php.cn/link/0e143c3bef0f7759c230664c4dc905f8
Attention what happened? The value is simply saved as abc, just directly access the URL and log in to WordPress:
While we can use $_POST in our code instead of $_REQUEST (we use $_REQUEST to demonstrate security issues more easily), this doesn't help - malicious users can still use themselves or induce you to click on the link Lets you send a POST request to this screen, resulting in a change in option values.
This is called cross-site request forgery (or CSRF). Malicious websites, emails, applications, etc. will cause the user's web browser to perform unnecessary operations.
We will now create and verify WordPress Nonce to prevent this attack from becoming possible.
As mentioned earlier, this process is divided into two steps: First, we need to create a Nonce that will be submitted with our form. Second, we need to verify the Nonce when submitting the form.
To create a Nonce field in our form, we can use wp_nonce_field():
Get or show Nonce hidden form fields... Used to verify that the content of the form request comes from the current site, not elsewhere...
Add the following code above our input button:
// ... (插件代码,与原文相同) ...
wp_nonce_field Accept four parameters-the first two are the most important:
$action: This determines the specific operation we are running and should be unique. It is best to use the plugin name as the prefix for the operation, as there may be multiple operations running. In this case, we are saving something, so we use implementing_wordpress_nonces_save$name: This determines the name of the hidden field created by this function. As mentioned above, we have used the plugin name as its prefix, so we named it implementing_wordpress_nonces_nonce If we reload the settings screen, change our value and click Save, you will notice that the value will still change. We now need to implement the checking of the submitted Nonce field, using wp_verify_nonce( $name, $action ):
Verify that Nonce is correct and has not expired relative to the specified operation. This function is used to verify the Nonce sent in the current request, usually accessed via the
$_REQUESTPHP variable.
Replace the "Save Settings" part of the admin_screen() function of our plugin with the following code:
wp_nonce_field( 'implementing_wordpress_nonces_save', 'implementing_wordpress_nonces_nonce' );
This code performs the following operations:
To make sure our Nonce is being created and verified, let's try again to access our "malicious" direct URL:
https://www.php.cn/link/0e143c3bef0f7759c230664c4dc905f8.
>If our Nonce is implemented and is being verified, you will see an "Invalid Nonce Specification" notification:
...(The rest is the same as the original text, but the language and expression are adjusted in detail to keep the original intention unchanged)....
The above is the detailed content of What Are WordPress Nonces?. For more information, please follow other related articles on the PHP Chinese website!
How to solve the 504 error in cdn
How to insert video in html
What are the advantages and disadvantages of decentralization
Mysql import sql file error report solution
MySQL changes the storage engine method of a table
How to center div in css
What does it mean when a message has been sent but rejected by the other party?
How much is Dimensity 9000 equivalent to Snapdragon?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
