Nonce stands for Number used once.
Nonce is a token which is a series of letters and numbers generated by WordPress. It is used to protect against malicious hacks and attacks such as Cross-Site Request Forgery (CSRF) attacks. This attack tricks people into clicking on a link that can cause harm to your website.
A nonce can be attached to a URL, form or an AJAX request. When the particular URL, form or AJAX request is used for any task such as editing a blog post or deleting a blog post etc., the nonce will be checked. If it is present and available, the action will be carried out else the action will be aborted considering as an attack.
The nonce is valid for 12-24 hours by default but it can be changed via code.
There are two aspects to a nonce – creation and verification.
A nonce can be created in different ways (while submitting a form):
A nonce can be verified in these ways (after submitting a form):
- Using wp_verify_nonce() function
- Using check_admin_referer() function
- Using check_ajax_referer() function
If you are a developer then you shall refer to examples on Nonce creation and verification. Otherwise, all you have to know that Nonce is used for securing all the form submission (for example, blog post submit, comment edit etc.) in WordPress.