Generate nonce tokens for CSRF protection in WordPress
Unique identifier for this nonce
Creation
Nonces are created using wp_create_nonce() with an action string. WordPress generates a hash based on user ID, action, and current tick (12-hour period).
Default Lifetime
WordPress nonces are valid for 24 hours by default (2 ticks). They use 12-hour periods to avoid edge cases when crossing tick boundaries.
Verification
wp_verify_nonce() checks if the nonce is valid for the current or previous tick. Returns false (0) if invalid, 1 if valid in current tick, 2 if valid in previous tick.
Best Practices
Always verify nonces before processing form submissions or AJAX requests. Use specific action names. Never expose nonce verification logic to users.
<input type="hidden" id="_wpnonce" name="_wpnonce" value="dv93qsecf3" /> <input type="hidden" name="_wp_http_referer" value="" />
💡 Usage: Add this HTML to your form
Nonces ("number used once") protect against CSRF attacks.
Common Functions:
⚠️ Reference Only: This tool generates example code. Real WordPress nonces must be created and verified server-side by WordPress. The tokens shown here are random examples, not actual working nonces.
1. Enter Action Name: Provide unique identifier describing the operation (delete_post_123, update_settings, ajax_save_data).
Form Field: wp_nonce_field() outputs hidden input for forms. Most common method for POST submissions.
URL Parameter: wp_nonce_url() appends nonce to URLs for GET requests and link-based actions.
AJAX Header: wp_create_nonce() generates value for X-WP-Nonce header in REST API and AJAX calls.
2. Generation Code: Tool creates PHP snippet to insert nonce into forms, URLs, or localized scripts.
3. Verification Code: Generates wp_verify_nonce() or check_admin_referer() validation code for server-side security.
4. Custom Field Name: Set nonce field name (default: _wpnonce). Use custom names for multiple forms on same page.
5. Security Check: Always verify nonce before processing data. Die/exit if verification fails to prevent CSRF attacks.
Nonces valid 24 hours (two 12-hour ticks). Required for all data-modifying operations. Use unique actions per operation type.
A nonce ("number used once") is a security token that prevents CSRF attacks. It verifies that form submissions, AJAX requests, and URL actions came from your site, not a malicious third party. Required for all data-modifying operations.
Nonces are valid for 24 hours by default (two 12-hour ticks). This balances security with user experience - long enough that users don't get frequent "expired nonce" errors, short enough to limit attack windows. The validity period is filterable.
wp_create_nonce() returns the value. wp_nonce_field() outputs a hidden form field. wp_nonce_url() adds nonce to a URL. All use the same underlying nonce generation - choose based on where you need it (forms, URLs, AJAX headers).
Use a unique, descriptive string identifying the operation: "delete_post_123", "update_settings", "ajax_load_more". The action ties the nonce to specific functionality. Reusing actions across different operations weakens security.