Nonces on the Front End is a Bad Idea

Here’s a tip! Don’t add nonce fields on the front end of your site for logged out users. That may cause trouble with page caching plugins, which will serve HTML from cache with the nonce field, even if the nonce has expired. Also, nonces don’t really help prevent spam in contact forms, etc., especially for anonymous visitors. Nonces are used for security.

About the author

Konstantin Kovshenin

WordPress Core Contributor, ex-Automattician, public speaker and consultant, enjoying life in Moscow. I blog about tech, WordPress and DevOps.

4 comments

  • Would you apply that to ajax requests?

    One of the Automatticians at the VIP Developer Workshop told me that I should always (always) use a security nonce for ajax requests, even for not-logged-in users and requests that do not result in database or filesystem modification.

    It seems to me that the nonce is not needed in such a situation.

    • If you’re doing an ajax request to delete a post or comment (or any other logged-in user activity) you should absolutely use a nonce for security. Even if the page is cached the worst case scenario is an “are you sure you want to do this?” message, front-end editing with P2 is a really good example. However, if you’re doing infinite scroll or some other content gathering through ajax, I’d say it’s okay to drop the nonce. I’d go further and make sure that such a request is always a GET request, so that the server can give me a cached copy if it can do that.

      In any case, nonces for logged out users don’t make much sense to me because they’re the same for every anonymous user (and bot/scraper) that visits the page. I’d say that’s not a valid use of nonces, however, WordPress.com has slightly different caching techniques, and you probably won’t face any of these problems :)

    • That’s a good approach, and I used to think in a similar way, until I spent weeks debuging an issue with Contact Form 7, which places a nonce that is valid for 24 hours, and my cache was set to invalidate every 1 hour. This means that depending on how lucky we are, Contact Form 7 will be useless for logged out users anywhere from 0 to 60 minutes every 24 hours, resulting in weird “spam” errors. I had support requests coming in, but took me a week to reproduce ;)

      So it’s better to know what you’re doing rather than just nonce-ing everything :)

      Thanks for your comment!