WordPress at a glance

wp_nonce_url() WP 2.0.4

Adds a nonce token to the URL: ?_wpnonce=9d6bd884a1.

The result of the function is intended only for output, and not for internal usage in PHP (e.g. for redirect with wp_redirect()). That's because the functions escapes the value with esc_html().

Works based on: wp_create_nonce()
1 time = 0.000102s = fast | 50000 times = 2.28s = fast

No Hooks.


String. Escaped URL with nonce action added.


wp_nonce_url( $actionurl, $action, $name );
$actionurl(string) (required)
URL to add nonce action.
Nonce action name.
Default: -1
Nonce name.
Default: '_wpnonce'


#1 Basic example

echo wp_nonce_url( 'http://example.com/url' );
// output: http://example.com/url?_wpnonce=1ef8422137

echo wp_nonce_url( 'http://example.com/url?arg=data' );
// output: http://example.com/url?arg=data&_wpnonce=9d6bd884a1

#2 Another basic example

echo wp_nonce_url( 'http://example.com/url', 'my_nonce' );
// output: http://example.com/url?_wpnonce=4a875e9c59

// then check the url
if( wp_verify_nonce( $_GET['_wpnonce'], 'my_nonce' ) )
	echo "Check passed";
	echo "Check failed";

#3 Add nonce to the URL for use in wp_redirect()

The result of wp_nonce_url() is intended only for output on the screen, not for internal usage in PHP. If you want to add the nonce to the URL and use it in some function (e.g. wp_redirect()), you can do something like this:

$url = '/wp-admin/admin.php?page=foo';
$nonce = wp_create_nonce( 'my_nonce_key' ); // create nonce

$nonce_url = add_query_arg( [ '_wpnonce'=>$nonce ], $url );

echo $nonce_url; //> /wp-admin/admin.php?page=foo&_wpnonce=74c42a878c


Since 2.0.4 Introduced.

Code of wp_nonce_url() WP 5.5.1

function wp_nonce_url( $actionurl, $action = -1, $name = '_wpnonce' ) {
	$actionurl = str_replace( '&amp;', '&', $actionurl );
	return esc_html( add_query_arg( $name, wp_create_nonce( $action ), $actionurl ) );

From tag: nonce (security protection defence)

More from tag: Site security (safety)

vladlu 100vlad.lu
Editors: kama 100
No comments
    Log In . Register