WordPress at a glance

wp_create_nonce() WP 1.0

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

  • Since 4.0.0 Session tokens were integrated with nonce creation

This is a pluggable function, and it can be replaced from plugin. It means that this function is defined (works) only after all plugins are connected (included), but before this moment the function has not yet been defined... Therefore, you cannot call this and all functions depended on this function directly from a plugin code. It must be called via hook plugins_loaded or later, for example on hook init.

Function replacement (override) — in a plugin you can create a function with the same name, then it will replace this function.

Is the basis for: wp_nonce_field(), wp_nonce_url()
✈ 1 time = 0.000025s = very fast | 50000 times = 0.21s = very fast | PHP 7.1.1, WP 4.7.2
Hooks in function

String. The token.


wp_create_nonce( $action );
Scalar value to add context to the nonce.
Default: -1

Code of wp create nonce: wp-includes/pluggable.php VER 5.0.3

function wp_create_nonce($action = -1) {
	$user = wp_get_current_user();
	$uid = (int) $user->ID;
	if ( ! $uid ) {
		/** This filter is documented in wp-includes/pluggable.php */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );

	$token = wp_get_session_token();
	$i = wp_nonce_tick();

	return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );

Related Functions

From tag: nonce (security protection defence)

More from tag: Site security (safety)

No comments
    Hello, !     Log In . Register