wp_nonce_url()WP 2.0.4

Adds a nonce token to the URL: ?_wpnonce=9d6bd884a1.

The result of the function is intended only for output, and not for internal usage in PHP (e.g. for redirect with wp_redirect()). That's because the functions escapes the value with esc_html().

1 time — 0.000102 sec (fast) | 50000 times — 2.28 sec (fast)

No Hooks.


String. Escaped URL with nonce action added.


wp_nonce_url( $actionurl, $action, $name );
$actionurl(string) (required)
URL to add nonce action.
Nonce action name.
Default: -1
Nonce name.
Default: '_wpnonce'



#1 Basic example

echo wp_nonce_url( 'http://example.com/url' );
// output: http://example.com/url?_wpnonce=1ef8422137

echo wp_nonce_url( 'http://example.com/url?arg=data' );
// output: http://example.com/url?arg=data&_wpnonce=9d6bd884a1

#2 Another basic example

echo wp_nonce_url( 'http://example.com/url', 'my_nonce' );
// output: http://example.com/url?_wpnonce=4a875e9c59

// then check the url
if( wp_verify_nonce( $_GET['_wpnonce'], 'my_nonce' ) )
	echo "Check passed";
	echo "Check failed";

#3 Add nonce to the URL for use in wp_redirect()

The result of wp_nonce_url() is intended only for output on the screen, not for internal usage in PHP. If you want to add the nonce to the URL and use it in some function (e.g. wp_redirect()), you can do something like this:

$url = '/wp-admin/admin.php?page=foo';
$nonce = wp_create_nonce( 'my_nonce_key' ); // create nonce

$nonce_url = add_query_arg( [ '_wpnonce'=>$nonce ], $url );

echo $nonce_url; //> /wp-admin/admin.php?page=foo&_wpnonce=74c42a878c


Since 2.0.4 Introduced.

wp_nonce_url() code WP 6.5.2

function wp_nonce_url( $actionurl, $action = -1, $name = '_wpnonce' ) {
	$actionurl = str_replace( '&', '&', $actionurl );
	return esc_html( add_query_arg( $name, wp_create_nonce( $action ), $actionurl ) );