Where Are WordPress nonces Stored?

Question

I was trying to figure out where does WordPress store all the nonces. But wasn\'t able to find a clue. I first checked the database but wasn\'t able to find any table named some

Answer 1

Nonces are one-time tokens generated by WordPress to validate various requests, such as adding a comment, deleting a post, removing a user, etc.

They're not stored anywhere, nor do they need to be.

Take the following example; when managing content in WordPress, the Bin link may look something like this:

http://www.example.com/wp-admin/post.php?post=1337&action=trash&_wpnonce=369f188682

However, if you were to try and change the ID of the page/post in the URL to something else (see below), the nonce would no longer be valid, return a 403 error, and display: "Are you sure you want to do this?"

http://www.example.com/wp-admin/post.php?post=9100&action=trash&_wpnonce=369f188682

Adding a hidden _nonce field (take Contact Form 7 as a prime example) is generally good practice when implementing forms into WordPress, as it prevents Cross-Site Request Forgery (CSRF), etc.

Resources:

• WordPress Nonces
• Nonce
• Cross-Site Request Forgery