wp_create_nonce()WP 2.0.3

Creates a unique security key for a short period of time (from 12 to 24 hours).

The key is created as part of a hash from:

  • For authorized users:

    timestamp | action | user_ID | $session_token | wp_salt

  • For unauthorized users:

    timestamp | action | wp_salt

If any of the values change, the nonce will change. It's practically impossible to predict the nonce in advance. Naturally, the more variable elements it contains, the more unique it becomes.

For all unauthorized users, the same nonce code is created (tested). For example, you can visit a site, copy the code from the HTML or from the desired request, and use it maliciously against another unauthorized user. Technically, we can always determine the nonce code for any unauthorized user, so using a nonce code for some form of protection for unauthorized users doesn't make much sense.

The nonce key's lifetime can be changed through the nonce_life filter.

$nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS );

Keep in mind, the specified value is divided by 2 — it's a kind of two variants: before and after. By default, the code is created for 24 hours (one day), and when verifying the code through wp_verify_nonce(), the function will return 1 or 2, depending on which half (the first 12 hours or the second) the nonce code corresponds to.

Use the function during or after the init event, otherwise issues may arise.

Read more about one-time (nonce) numbers in a separate article.

Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.

Uses: wp_nonce_tick(), wp_get_session_token(), wp_get_current_user()
Used By: wp_nonce_field(), wp_nonce_url()
1 time — 0.000025 sec (very fast) | 50000 times — 0.21 sec (very fast) | PHP 7.1.1, WP 4.7.2
Hooks from the function

Returns

String. A string: a unique combination of characters.

Usage

wp_create_nonce( $action );
$action(string)
The value based on which the unique key will be created.
Default: -1

Examples

0

#1 Basic Example 

echo wp_create_nonce();
// output: c6d25d33be
0

#2 Creating a nonce token for a form 

<?php $nonce = wp_create_nonce('my-nonce'); ?>
<a href='myplugin.php?_wpnonce=<?php echo $nonce ?>&data=mydata'> ...

<?php 
// Where the request will be handled
$nonce = $_REQUEST['_wpnonce'];

if( ! wp_verify_nonce( $nonce, 'my-nonce') ) 
	die( 'Forbidden!' ); 
?>

Changelog

Since 2.0.3 Introduced.
Since 4.0.0 Session tokens were integrated with nonce creation.

wp_create_nonce() code WP 6.8

wp-includes/pluggable.php 
function wp_create_nonce( $action = -1 ) {
	$user = wp_get_current_user();
	$uid  = (int) $user->ID;
	if ( ! $uid ) {
		/** This filter is documented in wp-includes/pluggable.php */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	$token = wp_get_session_token();
	$i     = wp_nonce_tick( $action );

	return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
}

nonce (security protection defence)

Site security (safety)