wp_verify_nonce()WP 2.0.3

Verify nonce token.

The token is created by one of the functions:

Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.

Used By: check_ajax_referer()
Hooks from the function

Return

Int|false. 1 if the nonce is valid and generated between 0-12 hours ago,
2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.

Usage

wp_verify_nonce( $nonce, $action );
$nonce(string) (required)
Nonce that was used in the form to verify. It is usually passed in a request: $_POST ['_wpnonce'].
$action(string/int)

The key which was used for the token creation.
Default: -1

It's an optinal argument that may be passed to the function (e.g. [wp_create_nonce('action_key')]). If the value was not specified when creating the key, then it should be omitted here too - the verification will be passed successfully.

Examples

0

#1 Data verification for $_GET request 

<?php $nonce= wp_create_nonce('my-nonce'); ?>

<a href='myplugin.php?_wpnonce=<?php echo $nonce ?>&data=какие-то данные'> ...

<?php
// verify the request
if( wp_verify_nonce( $_GET['_wpnonce'], 'my-nonce') ){
	// handle the data here
}
else
	die('Forbidden!'); 
?>

Changelog

Since 2.0.3 Introduced.

wp_verify_nonce() code WP 6.5.2

wp-includes/pluggable.php 
function wp_verify_nonce( $nonce, $action = -1 ) {
	$nonce = (string) $nonce;
	$user  = wp_get_current_user();
	$uid   = (int) $user->ID;
	if ( ! $uid ) {
		/**
		 * Filters whether the user who generated the nonce is logged out.
		 *
		 * @since 3.5.0
		 *
		 * @param int        $uid    ID of the nonce-owning user.
		 * @param string|int $action The nonce action, or -1 if none was provided.
		 */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	if ( empty( $nonce ) ) {
		return false;
	}

	$token = wp_get_session_token();
	$i     = wp_nonce_tick( $action );

	// Nonce generated 0-12 hours ago.
	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 1;
	}

	// Nonce generated 12-24 hours ago.
	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 2;
	}

	/**
	 * Fires when nonce verification fails.
	 *
	 * @since 4.4.0
	 *
	 * @param string     $nonce  The invalid nonce.
	 * @param string|int $action The nonce action.
	 * @param WP_User    $user   The current user object.
	 * @param string     $token  The user's session token.
	 */
	do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );

	// Invalid nonce.
	return false;
}

nonce (security protection defence)

Site security (safety)