Blog

What is: Nonce

Nonce is a number or key used once. WordPress uses Nonces to protect URLs and forms from getting misused by malicious hack attempts. For example, on the comment moderation screen when you trash or delete a comment, WordPress adds a nonce key to the URL like this:

http://www.example.com/wp-admin/comment.php?c=16570&action=deletecomment&_wpnonce=389c3b47b9

When a URL with a nonce key is executed, it goes through a verification check. When this check fails, WordPress returns a 403 Forbidden response and an error message, ‘Are you sure you want to do this?’.

‘Are you sure you want to do this?’ error message can appear on any screen where nonce verification fails.

The most common cause of this error is a plugin or a theme that is poorly coded and is failing to verify the nonce. To fix this issue, a user can turn off all plugins and activate them one by one to figure out which one of them is causing the error.

For themes, switching back to a default theme and then trying to reproduce the error could point out that the previous theme in use was causing the issue.

Nonce provide a security system to WordPress functions and features that use query string in the URL to perform certain actions. WordPress uses NONCE_SALT and NONCE_KEY to generate unique nonces. These nonce salts and keys, along with other unique keys are stored in wp-config.php file and are unique to each WordPress site.

This post was originally published in the wpbeginner glossary.

Additional Reading