To reliably ensure only a specific user uses a link, you can utilize a “nonce” (number used once) as a query var in the link. Once the nonce is passed along with the link, it expires and cannot be used again. If someone were to share their link and it was used before the intended user, the intended user would lose their ability to use the link. A fairly strong deterrent.
WP has the wp_create_nonce() function, but the nonce it creates is not a true nonce. It can be used any number of times within 24 hours. It still serves as a deterrent, but the opportunity for fraud remains within the 24 hours. The 24 hour expiration can be changed with the “nonce_life” filter, but it still can be used any number of times. For optimal security, you should create your own nonce scheme where they really can only be used once.
If you chose to use the WP nonce scheme, verify the nonce passed in a link with wp_verify_nonce().
