Your example code is correct as far as it goes. Something else is amiss if your code is not working. If you don’t mind publishing the pertinent parts of your actual code in context, someone may be able to spot the problem. If there’s a lot of lines, please use pastebin.com and provide the link here. Publishing there with PHP syntax highlighting enabled makes it easier to spot errors.
FYI, if your action link is on your plugin’s admin screen which is loaded through admin-post.php, you can use check_admin_referer() to check the nonce. It additionally confirms the request came from a file in wp-admin, another important security check.
Before I go ahead and paste it, is it bad to set different nonce’s to each action button.
E.g:
$nonce_deny= wp_create_nonce('deny-users');
'deny' => sprintf('<a href="?page=%s&action=%s&appid=%s&_wpnonce=%s">Deny</a>', $_REQUEST['page'], 'deny', $item['id'], $nonce_deny)
And then trying to check with:
case 'deny':
if (!wp_verify_nonce($_REQUEST['_wpnonce'], "deny_users")) {
die("Wrong Deny Nonce");
}
Different method of nonce:
I was setting wp_nonce_field(‘mcwl-nonce’); within my form, and then checking it with check_admin_referer( ‘mcwl-nonce’)
This doesn’t fail, however it says “Are you sure you want to do this?”
If needed I’ll post the required code for either method I’ve tried.
EDIT:
Would it matter if this is a subpage of the plugins admin area?
I have single links working now using:
wp_create_nonce('deny-app_' . $item['id'])
and
!isset($_REQUEST['_wpnonce']) || !check_admin_referer('deny-app_' . $_REQUEST['appid'])
Any ideas how I would go about this for bulk actions, and would I have to change the ‘appid’ portion of it to accommodate for bulk actions?
I typed too soon.
Used an a few if blocks to check for single and bulk
if (nonce is set) {
if (bulk is set) {
set bulk data array
} elseif (single is set) {
set single data array
} else {
die(some bad nonce)
}
Considered closed.
I’m glad you worked it out 🙂
To answer some of your questions, I’m not sure where the “Are you sure?” is coming from. I don’t see any such text in any of the nonce related source code. A security plugin maybe?
Whether check_admin_referer() can be used or not is not dependent on being a top level menu or submenu. All that matters is that $_SERVER[‘HTTP_REFERER’] includes the wp-admin path. If your plugin menu page is loaded directly, you cannot use the admin referer check (It’d be a good idea to do an independent check though). If your submenu page is loaded through admin-post.php, then you can use the admin referer check.
I would use the same nonce for any particular page, regardless of which actions are being called on that page. This is what WP core does as well. There is certainly no harm in using various nonces (as long as you can keep them straight 😛 ) It may seem like better security to do so, but I don’t think you are actually gaining anything, it’s basically security theater.
I’m not a security expert, I welcome a proper explanation of how security is actually improved by having a separate nonce for each action. I could be wrong, I admit it.
