I know that wp_verify_nonce() is used to make sure that the $_POST is coming from a safe place.

I am developing a WordPress plugin which creates custom lists. In order to do that the web site owner has to access to the plugin settings login in your wp-admin server.

Is necessary to use wp_create_nonce() & wp_verify_nonce() if the form can only been accessed after wp-admin login?

I know that wp_verify_nonce() is used to make sure that the $_POST is coming from a safe place.

I am developing a WordPress plugin which creates custom lists. In order to do that the web site owner has to access to the plugin settings login in your wp-admin server.

Is necessary to use wp_create_nonce() & wp_verify_nonce() if the form can only been accessed after wp-admin login?

• plugins
• forms
• security
• nonce

• 3 I would argue that because it's in WP Admin the stakes are even higher, and security should be even greater. Imagine if it turned out that the innards of the pentagon were completely insecure and relied on a system of trust, and everyone said "ah but they got through the gates, they have a secure keycard, it's fine!". It'd be a scandal! – Tom J Nowell ♦ Commented Oct 30, 2019 at 22:24
• 2 This is primarily an opinion question, but ditto to Tom's response. It's even more critically important for admin side submissions. It's not only to verify it's coming from a safe place, but there's some additional reasons. A nonce expires (it's not valid forever), so in situation where you may return to a link in your admin and it unintentionally was in a data submission state, the expired nonce will prevent you from doing something accidentally - such as deleting users or posts. – butlerblog Commented Oct 30, 2019 at 23:26

1 Answer 1

Yes, nonces should always be used when an authenticated user is triggering an action via a GET/POST request. One of the main purposes of the nonce is it ensure that the current user actually intended to trigger this request. It prevents the security vulnerability known as Cross-Site Request Forgery (CSRF), where an attacker can trick an authenticated user into taking an action they didn't intend to. Checking for a valid nonce prevents this, because the attacker cannot guess the nonce, so they can't forge a form submission request and trick an admin into submitting it.

Note that the the attacker doesn't have to have access to the form itself, as your plugin presents it, in order to perform this attack. They can create their own imitation form or trigger the request in another way.