Support » Plugins » Hacks » Security nonce causing inability to select featured image

  • Hello,

    We have a strange and very frustrating problem involving the usage of a security nonce. An ajax call is made within my plugin to return some post results and a security nonce is generated and sent via the call. The nonce is then verified in the ajax callback function as per the code below. This works fine but the problem is that when the add_action(‘init’, ‘security_nonce’); line is included in the plugin we are then unable to select featured images in any of the posts as none of the images in the media library will display. When we comment out the line we are then able to upload and select featured images again. Furthermore, when we remove everything to do with nonces in our plugin it breaks some of the css includes on our site and we have no idea why. But we don’t want to remove the nonce anyway for security reasons so if anyone has any ideas as to why this might be breaking the featured image selection we would be delighted to know.

    Thanks in advance.

    add_action('init', 'security_nonce');
    function security_nonce(){ ?>
        <script type="text/javascript">var securityNonce = <?php echo json_encode(wp_create_nonce('you can never be too careful')); ?></script>
    <?php }

    and then to verify the nonce within the callback:

    check_ajax_referer( 'you can never be too careful', 'securityCheck' );

Viewing 4 replies - 1 through 4 (of 4 total)
  • Rather than use the init action to write your JS nonce, I would suggest using wp_localize_script on your AJAX script.


    wp_enqueue_script('handle','/my/ajax/script.js', ...)
    wp_localize_script('handle', 'MyScriptAjax',
        array('securityNonce' => json_encode(wp_create_nonce('you can never be too careful'))));

    Then in the script.js pass MyScriptAjax.securityNonce to the callback.


    Thanks for that. The strange thing is whenever I remove:

    add_action(‘init’, ‘security_nonce’);
    function security_nonce(){ ?>
    <script type=”text/javascript”>var securityNonce = <?php echo json_encode(wp_create_nonce(‘you can never be too careful’)); ?></script>
    <?php }

    it breaks the css and I can’t work out why. For some reason wordpress seems to need the nonce to be created using the init hook otherwise the css becomes messed up. Your method works in so much as we can now add featured images but I then have this seperate issue regarding the css. I’ve never come across this before. The check_ajax_referer function isn’t recognising the nonce either but that’s kind of a seperate issue.

    If you are inserting other scripts into the document header directly, rather than using wp_enqueue_script, maybe a prior tag has not been closed correctly and with the addition of the init action the </script> sorts out the missing end tags. I.e. the <link … style.css> is then processed.

    Without a link to the page can’t really see what’s going on.

    Turn on WPDEBUG, max out the PHP error reporting and check the Apache error log and/or run the page through the W3C validator.


    Output wp_localize_script() on the “wp_enqueue_scripts” action as well.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security nonce causing inability to select featured image’ is closed to new replies.