WordPress Developer Tip: AJAX Security

by Paul Robinson on 02.05.2010 | 1 comment

Using AJAX within WordPress can be difficult, mainly due to the use of the nonce security code. This post is designed as an extention of this post to explain how to use nonce codes in more detail.

A little while ago I wrote a tutorial about making an admin page for your WordPress plugin/theme that submitted it’s information via AJAX. Well I’ve decided I should do another tutorial focusing on explaining the use of nonce codes when using AJAX within WordPress. It can be particularly tricky to understand at first, but once you learn how to make your code work with them instead of against them it’s a breeze.

What Security?

To stop external requests from being accepted by your AJAX function WordPress has a built in security system you are strongly advised to use. It works using WordPress’ nonce system. This is a numeric code generated once every 12 hours & is only useable for 24 hours (that means the current & previous code will both work). For more information on how the nonce code works read Mark Jaquith’s post on them.

How Do I Use A Nonce?

To use a nonce you first need to generate one. You can generate one for any purpose like so:

$nonce = wp_create_nonce('my-nonce');

When using it for ajax though you will want to pass it along with your form information in a hidden field, that would look like this:

<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('your-action-code'); ?>" />

your-action-code should be a unique text value related in some way to your plugin/theme.

Now you need to verify that nonce on the receiving side. To do that, when using AJAX, you use check_ajax_referer('your-action-code'). The text your-action-code should read exactly the same as the text in your wp_create_nonce(). You should also tell the function where in the $_REQUEST array it can find your nonce, like this:

check_ajax_referer('my-action-code', 'nonce');
//Code to run if AJAX request is verified

For those who don’t know what the $_REQUEST array is, it will be the same as the name parameter of your input field that contains the nonce code. If you code is correctly verified it will continue past, if not it will trigger die('-1'); stopping your code dead.

So That’s It?

Yes, that is how you use a nonce to help with AJAX security. There are parts missing from this post, such as sending the action (so WordPress can find you AJAX function), creating your jQuery function etc, but these are all explained in this post. This post is just meant to explain, in more detail, the use of a nonce with AJAX should you have difficulty understanding it.

WordPress logo © WordPress · Composite image created by Lisa Marie