What a nonce is #
A WordPress nonce is a security token tied to a specific user, a specific action, and a specific time window. The name comes from “number used once,” though WordPress nonces are technically valid for up to 24 hours rather than being destroyed on first use. The important thing is what they do: they prove that a request to WordPress came from your browser during your session, not from somewhere else pretending to be you.
The problem nonces solve #
Without nonces, it would be possible to trick a logged-in WordPress user into performing actions they didn’t intend. A malicious site could construct a link that, when clicked by someone logged into your WordPress Admin, deletes a post, changes a setting, or adds an admin user. The browser would send the request with your WordPress cookies attached, and WordPress would have no way to know the action didn’t come from you. This attack type is called Cross-Site Request Forgery (CSRF).
Nonces break this attack because they contain a cryptographic value tied to your session. A request from another site can’t include a valid nonce for your session because it doesn’t have access to the secret key WordPress uses to generate it. WordPress checks the nonce before processing the action. If the nonce is missing or invalid, the action is rejected.
Where you encounter nonces in practice #
Nonces appear invisibly in most WordPress interactions. When you save a post, a nonce is validated. When you delete a plugin, a nonce is validated. When a Contact Form plugin processes a submission, it should be validating a nonce. You encounter them visibly when something goes wrong: the “Are you sure you want to do this?” error in WordPress means a nonce failed validation, usually because a cached page is serving an expired nonce or because you’re not logged in.
Nonces in Loupely captures #
When a nonce validation failure appears in a Loupely capture, it typically means one of two things: a caching plugin is caching a page that contains a form with a nonce embedded in it, and serving that stale page to users whose nonce has since expired; or a request is being made outside a proper WordPress session where a valid nonce was never issued. Both patterns appear in the capture as a specific error from WordPress’s nonce verification function, which Loupely’s correlation rules link to the corresponding behavior the user is experiencing (a form that submits but produces an error, or a checkout that fails silently).