I was trying to figure out where does WordPress store all the nonces. But wasn\'t able to find a clue. I first checked the database but wasn\'t able to find any table named some
Nonces are one-time tokens generated by WordPress to validate various requests, such as adding a comment, deleting a post, removing a user, etc.
They're not stored anywhere, nor do they need to be.
Take the following example; when managing content in WordPress, the Bin link may look something like this:
http://www.example.com/wp-admin/post.php?post=1337&action=trash&_wpnonce=369f188682
However, if you were to try and change the ID of the page/post in the URL to something else (see below), the nonce would no longer be valid, return a 403 error, and display: "Are you sure you want to do this?"
http://www.example.com/wp-admin/post.php?post=9100&action=trash&_wpnonce=369f188682
Adding a hidden _nonce
field (take Contact Form 7 as a prime example) is generally good practice when implementing forms into WordPress, as it prevents Cross-Site Request Forgery (CSRF), etc.
Resources: