WordPress Developer Tip: AJAX Security

/ Wordpress / by Paul Robinson / 4 Comments
This post was published back on February 5, 2010 and may be outdated. Please use caution when following older tutorials or using older code. After reading be sure to check for newer procedures or updates to code.

A little while ago I wrote a tutorial about making an admin page for your WordPress plugin/theme that submitted it’s information via AJAX. Well I’ve decided I should do another tutorial focusing on explaining the use of nonce codes when using AJAX within WordPress. It can be particularly tricky to understand at first, but once you learn how to make your code work with them instead of against them it’s a breeze.

What Security?

To stop external requests from being accepted by your AJAX function WordPress has a built in security system you are strongly advised to use. It works using WordPress’ nonce system. This is a numeric code generated once every 12 hours & is only useable for 24 hours (that means the current & previous code will both work). For more information on how the nonce code works read Mark Jaquith’s post on them.

How Do I Use A Nonce?

To use a nonce you first need to generate one. You can generate one for any purpose like so:

When using it for ajax though you will want to pass it along with your form information in a hidden field, that would look like this:

your-action-code should be a unique text value related in some way to your plugin/theme.

Now you need to verify that nonce on the receiving side. To do that, when using AJAX, you use check_ajax_referer('your-action-code'). The text your-action-code should read exactly the same as the text in your wp_create_nonce(). You should also tell the function where in the $_REQUEST array it can find your nonce, like this:

For those who don’t know what the $_REQUEST array is, it will be the same as the name parameter of your input field that contains the nonce code. If you code is correctly verified it will continue past, if not it will trigger die('-1'); stopping your code dead.

So That’s It?

Yes, that is how you use a nonce to help with AJAX security. There are parts missing from this post, such as sending the action (so WordPress can find you AJAX function), creating your jQuery function etc, but these are all explained in this post. This post is just meant to explain, in more detail, the use of a nonce with AJAX should you have difficulty understanding it.

WordPress logo © WordPress · Composite image created by Lisa Marie


Author’s gravatar

Is there any point of using check_admin_referer and check_ajax_referer in the same time or
check_ajax_referer will be enough for security of plugin settings page with ajax save?

Author’s gravatar author


You could use either, but check_admin_referer checks your nonce and also checks to see if the request came from the WP admin too. check_ajax_referer just checks your nonce.

Older Comments
Newer Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

I'll keep your WordPress site up-to-date and working to its best.

Find out more