Languages: English • 日本語 (Add your language)
Verify that a nonce is correct and unexpired with the respect to a specified action. The function is used to verify the nonce sent in the current request usually accessed by the $_REQUEST PHP variable.
Nonces should never be relied on for authentication or authorization, access control. Protect your functions using current_user_can(), always assume Nonces can be compromised.
<?php wp_verify_nonce( $nonce, $action ); ?>
Verify an nonce created with wp_create_nonce():
<?php
// Create an nonce, and add it as a query var in a link to perform an action.
$nonce = wp_create_nonce( 'my-nonce' );
echo "<a href='myplugin.php?_wpnonce={$nonce}'>Save Something</a>";
?>
.....
<?php
// In our file that handles the request, verify the nonce.
$nonce = $_REQUEST['_wpnonce'];
if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) {
die( 'Security check' );
} else {
// Do stuff here.
}
?>
You may also decide to take different actions based on the age of the nonce:
<?php
$nonce = wp_verify_nonce( $nonce, 'my-nonce' );
switch ( $nonce ) {
case 1:
echo 'Nonce is less than 12 hours old';
break;
case 2:
echo 'Nonce is between 12 and 24 hours old';
break;
default:
exit( 'Nonce is invalid' );
}
?>
Since: 2.0.3
wp_verify_nonce() is defined in wp-includes/pluggable.php
Nonce functions: wp_nonce_ays(), wp_nonce_field(), wp_nonce_url(), wp_verify_nonce(), wp_create_nonce(), check_admin_referer(), check_ajax_referer(), wp_referer_field()
Nonce hooks: nonce_life, nonce_user_logged_out, explain_nonce_(verb)-(noun), check_admin_referer