weixin_33725722 2015-04-23 14:31 采纳率: 0%
浏览 46

何时使用WordPress Nonce

My WordPress plugin, Ajax load More currently uses a nonce variable with a call to admin-ajax.php on the front end which helps protect URLs from certain types of misuse, malicious or otherwise.

The issue that I'm having is various caching plugins such as WP Super Cache, WP Fastest Cache and W3 Total Cache are caching the nonce variable and this is causing errors when the plugin tries to verify the nonce.

My question is, do I need the nonce verification?

The plugin is only retrieving post data using a WP_query() and not sending anything to the DB so it seems to me like it might be overkill.

  • 写回答

1条回答 默认 最新

  • weixin_33747129 2015-04-23 14:37
    关注

    "Nonce verification" is used to protect against Cross-Site-Request-Forgery (CSRF) Attacks. I use it in quotes since wordpress doesn't actually generate nonces (number-used-once), but instead re-uses them.

    In short, it's to be sure the request came from your domain and not an attackers. The nonce "proves" that the requester has secret information that the browser will prevent others from having.

    Do you need protection? If the request does something, then yes. Meaning if you're creating or modifying anything, then you want some form of protection. The browser will protect read requests for you, so you don't need to worry about them.

    For more information (a blog post I wrote).

    评论

报告相同问题?