Better WordPress Security with WordPress Nonces | WordPress PHP Security
Вставка
- Опубліковано 30 лип 2024
- In this video, I go over how to create better security on your #WordPress site with #Nonces!
github.com/alexander-young/wp...
💖 Become a Patron to show support & get perks!
/ wpcasts
Sign up for the newsletter. Free course coming in 2020:
wpcasts.tv
*SOCIAL*
Twitter: / alexanderbyoung
Instagram: / the_alex_young
Facebook: / wpcasts.tv - Наука та технологія
Let's chat on Twitter! twitter.com/AlexanderBYoung
I'm a lot closer to wrapping my head around nonces than I was before - thank you! Looking forward to digging through your other videos.
simple. clear. I cant stand tutorials which are too complex. they confuse more than help. keep it simple and you did. thank you.
Hey! Ryan here from WPScan. Great video. Just something to note that wasn't mentioned is that Chrome and other browsers will soon be enabling "SameSite=Lax" cookies by default, which will prevent most CSRF attacks in modern web browsers, when they implement it by default. Nonces should absolutely still be used of course, but the risk of a CSRF attack should also be reduced when web browsers implement SameSite by default.
Great format with you facing diagonally. Best format I've seen for screencast videos.
People in the UK reading the title like -.-
Great to see your video after long time..
Thank you so much!
Thank you!
nice! Thank you very much
Great stuff!
Thanks!
Super useful
Could you explain how to use a nonce with cached form pages? I want to serve the form page from a static cache
Perhaps best to just exclude that page from caching?
How to get NOnce for Headless WordPress? Custom endpoint i.e with REST API?
And if yes then should we secure the Nonce endpoint by checking like current_user_can() or should just let it be without any checks?
What happens if user open this form as not logged in state and then login in another tab, return to first tab and submit the form? Nonce error happens. Why? how to deal with that situation?
Hello, what are you using for bundling JS?
I actually wasn't bundling it. I was just using the browser-supported ES6 :)
Always love how you dig deeper into WP more than the average channel! Check out the function check_ajax_referer() (developer.wordpress.org/reference/functions/check_ajax_referer/). It pretty much does what you built, but with a simple function call. It's super handy.
1st like :-)
🎉 woot!
I don't understand it. Because the nonce filed is a hidden field. Evey when bot submit the request still isset return true and query get executed. ????
Note that the nonces are unique to the current user's session, so if a user logs in or out asynchronously any nonces on the page will no longer be valid.
codex.wordpress.org/WordPress_Nonces
Nonces are to stop replay attacks, they are to help ensuring that a request was made from a valid source and that the request is only run only once and that the primed request can expire if the user fails to submit. Nonces are basically useless on forms that don't require user authentication.
Noooonce
it's not useful.... it is very useful....:) thankx
Glad to hear that!