Better WordPress Security with WordPress Nonces

Better WordPress Security with WordPress Nonces | WordPress PHP Security

Рет қаралды 8,953

WPCasts

Күн бұрын

Пікірлер: 30

@WPCasts 4 жыл бұрын

Let's chat on Twitter! twitter.com/AlexanderBYoung

@jlcdrivewayramps7343 Жыл бұрын

simple. clear. I cant stand tutorials which are too complex. they confuse more than help. keep it simple and you did. thank you.

@patrickcameron2950 4 жыл бұрын

I'm a lot closer to wrapping my head around nonces than I was before - thank you! Looking forward to digging through your other videos.

@RyanDewhurst 4 жыл бұрын

Hey! Ryan here from WPScan. Great video. Just something to note that wasn't mentioned is that Chrome and other browsers will soon be enabling "SameSite=Lax" cookies by default, which will prevent most CSRF attacks in modern web browsers, when they implement it by default. Nonces should absolutely still be used of course, but the risk of a CSRF attack should also be reduced when web browsers implement SameSite by default.

@LevyCarneiro 4 жыл бұрын

Great format with you facing diagonally. Best format I've seen for screencast videos.

@manavbudhia 4 жыл бұрын

Great to see your video after long time..

@wassy83 4 жыл бұрын

Thank you so much!

@Pharoxx105 4 жыл бұрын

Could you explain how to use a nonce with cached form pages? I want to serve the form page from a static cache

@patrickcameron2950 4 жыл бұрын

Perhaps best to just exclude that page from caching?

@leebuckle8288 4 жыл бұрын

People in the UK reading the title like -.-

@MoserDamasceno 4 жыл бұрын

Thank you!

@rauljauregi6615 4 жыл бұрын

nice! Thank you very much

@gorangagrawal 2 жыл бұрын

How to get NOnce for Headless WordPress? Custom endpoint i.e with REST API? And if yes then should we secure the Nonce endpoint by checking like current_user_can() or should just let it be without any checks?

@amitbiswas1885 4 жыл бұрын

What happens if user open this form as not logged in state and then login in another tab, return to first tab and submit the form? Nonce error happens. Why? how to deal with that situation?

@TheMarouuu 4 жыл бұрын

Great stuff!

@Zak_Nike 14 күн бұрын

No nonce jokes😮 I'm obviously in the wrong place

@vladtircomnicu1630 4 жыл бұрын

Super useful

@alex_ishchenko 4 жыл бұрын

Thanks!

@afflictionmarketing5303 4 жыл бұрын

I don't understand it. Because the nonce filed is a hidden field. Evey when bot submit the request still isset return true and query get executed. ????

@АлександрГригорий-е6о 4 жыл бұрын

Note that the nonces are unique to the current user's session, so if a user logs in or out asynchronously any nonces on the page will no longer be valid. codex.wordpress.org/WordPress_Nonces

@Draanor 4 жыл бұрын

Nonces are to stop replay attacks, they are to help ensuring that a request was made from a valid source and that the request is only run only once and that the primed request can expire if the user fails to submit. Nonces are basically useless on forms that don't require user authentication.

@АлександрГригорий-е6о 4 жыл бұрын

Hello, what are you using for bundling JS?

@WPCasts 4 жыл бұрын

I actually wasn't bundling it. I was just using the browser-supported ES6 :)

@msvmanikantasrivishnu7788 4 жыл бұрын

1st like :-)

@WPCasts 4 жыл бұрын

🎉 woot!

@ReLLaKaT316 4 жыл бұрын

Noooonce

@AndrewRhyand 4 жыл бұрын

Always love how you dig deeper into WP more than the average channel! Check out the function check_ajax_referer() (developer.wordpress.org/reference/functions/check_ajax_referer/). It pretty much does what you built, but with a simple function call. It's super handy.