WordPress nonces are wrong and not working?


I really don’t understand what is happening with WordPress nonces, i think they’re wrong, or they’re useless.

I always have troubles working with that nonces, WordPess never been able to check one nonce successfully, i will put here 2 cases in which the nonces aren’t working, in all cases i tried to maken aj AJAX request:


In this case i tried to use wp_rest nonce to verify it:

PHP (plugin.php):



class MyPluginClass {

public static function setup_plugin() {
   add_shortcode("my_shortcode", array(self::class, "my_shortcode_func"));

public my_shortcode_func() {
   // Only add scripts when this shotcode is used

   wp_enqueue_script("my_script", plugin_url("js/myscript.js", __FILE__), [], "1.0");

   wp_localize_script("my_script", "script_data", array(
        "endpoint_url" => rest_url("/my/rest"),
        "endpoint_url2" => rest_url("/my/rest2"),
        "nonce" => wp_create_nonce("wp_rest")






   url: script_data.endpoint_url,
   data: [], // Here is some real data
   type: "post",
   dataType: "json",
   headers: {
     'X-WP-Nonce': script_data.nonce
   success: () => { ... },
   error: () => { ... }

It only works when the user is logged in, but i’m not using users on my website, the only user is admin, so, it doesn’t work for guests users (And i need to works for them), when is a guest user, it returns: rest_cookie_invalid_nonce 403 error PD. I don’t put the code of the ajax functions ’cause it doesn’t even get to run them


So i don’t want to put more code here, but, for this case, in wp_create_nonce function i change the wp_rest string for any_valuestring

In the $.ajax call y delete the headers option, and y pass the nonce in the data option as “nonce_field”, and in my rest functions i do this:

var_dump(check_ajax_referer("any_value", "nonce_field"));

And it always returns false, the nonce never pass, and also happens with:

var_dump(wp_verify_nonce($_POST["nonce_field"], "any_value"));

So the nonce never is true, and i don’t know why, it should be an WordPress issue, i’m using WordPress 5.5 (The most recent version) so i think if it’s always return false then the nonce in WordPress are useless

Or can you help me what i’m doing wrong? Thanks a lot!!!

Carlos Tinnelly 4 months 0 Answers 27 views 0

Leave an answer