Check for nonces in WordPress AJAX calls

WordPress made using AJAX easier than ever. By simply hooking into one or two actions, depending on where the AJAX needs to be available, you can setup the PHP side of your AJAX. The JavaScript part isn’t much harder. With jQuery bundled in WordPress it’s easily done with one of the jQuery AJAX functions.

Check where the request is coming from

The problem with AJAX being so easy is that security is often forgotten. One of the first things you should do in your PHP function is to check where the request came from. Because AJAX calls are done by JavaScript, a client side technology, there’s always the possibility of XSS attacks. Without going too deep into XSS attacks, in this case it’s important to check if the AJAX call came from the location you intended. This can be done setting and checking a nonce. A nonce is a “number used once” to protect URLs and forms from being misused.

Creating the nonce and using it in the AJAX call

In WordPress a nonce must be created in PHP. So in order to use it in your AJAX request you have pass it from your PHP code to your JavaScript code. This can be done in several ways.

If your JavaScript code is inline, not in a separate file, you can simply print it in the JavaScript code with PHP.

If your JavaScript code is in a separate file, there are several ways of passing your nonce to it. One of them is setting your nonce in a hidden input field and fetching that input field in your JavaScript file.

Checking the nonce in PHP

Now that the nonce is created and passed through in the AJAX request we need to check it in the PHP function. In WordPress there are multiple ways of doing this but the best way to check a nonce in an AJAX callback is to use the check_ajax_referer function. The first argument of this function is the ‘action’. In my examples above I created the nonces with the action bk-ajax-nonce. The second argument is the request argument used. In my examples above I passed the nonces with the argument security. You can check the nonce of either of the above examples with the following code.

By default above function call will terminate the script if the nonce is not found or incorrect. If you wish the function to return the result of the nonce check you can add false as the third argument.

Adding and checking nonces in your WordPress AJAX calls is pretty easy and will improve security of your plugin or theme. Be sure to add them. If you have any questions or tips, please share them by leaving a comment below.

Related Posts

Powered By Related Posts for WordPress
Click Here to Learn More About Related Posts for WordPress

4 thoughts on “Check for nonces in WordPress AJAX calls

  1. Don’t you mean CSRF? Validating a nonce doesn’t do much in terms of preventing XSS. ๐Ÿ™‚

    It DOES help in disallowing requests coming from a XSS vulnerability though.

    • I did meant disallowing requests coming from a XSS vulnerability. Most important part is “itโ€™s important to check if the AJAX call came from the location you intended” which covers both CSRF and requests that came from XSS vulnerabilities.

  2. So I arrived here looking for the deets on why a nonce helps.

    I can’t comprehend how its more secure. Couldn’t anyone hijack the nonce (via dev tools) and write a similar ajax call in the console, then hammer away queries with it?

  3. Hello Barry!

    I’ve read about WordPress nonce in Ajax calls and most of the articles mention how to create and use a nonce, and they only cover nonces for plugins. How about nonces for the frontend? If ajax calls are made from a user visiting a page without any priviliges, do I go about it the same way as described here?

Leave a Reply

Your email address will not be published.