Send by LINE
B! Bookmarks in Hate-bu
Bookmarks in Pocket
RSS feeds

WordPress: Secure communication with Ajax

Other language site
No available translations found
Google Translate
WordPress logo

It is a method of performing secure communication with WordPress Ajax. It can be easily implemented by using a nonce.

What is nonce?

A nonce is a disposable random value. Use this to verify that the server received a legitimate http / https request.

WordPress uses this nonce like a one-time password. Actually, it has a validity period (default 1 day), and random value is changed when expiration time has passed.

Detailed content is explained on the WordPress site.

Implementation is also simple. Let's see how to actually implement it.

Sample code is based on the posting of "Use Ajax with WordPress administration screen (plugin)". If you do not know how to implement Ajax in WordPress, we recommend that you refer to it once.


Register queue of js file

Add random value of generated nonce to wp_localize_script () parameter.

$ajax = [
    'ajax_url' => admin_url('admin-ajax.php'),
    'check_nonce' => wp_create_nonce('ajax-nonce')
wp_localize_script('js_handle_name', 'localize', $ajax);

Contents of js file

Next, to send the value of nonce with http / https request, add it to the content of js file.

function clearCacheSnsCount() {
        type: "POST",
        url: localize.ajax_url,
        dataType: 'text',
        data: {
            action: 'clear_cache',
            check_nonce: localize.check_nonce
    }).done(function(data, textStatus, jqXHR) {
    }).fail(function() {
        outputMsg('cache clear error!!');

Send http / https request with check_nonce query with nonce value.

Server processing (php)

The following function is the content of processing when receiving a request sent with ajax.

function clear_cache() {
    $cache_file = '../cache/11111111111111111.cache';
    $success = __('Complete clear cache');
    $error = __('Clear cache failer');
    $result = '';

    if ( ! check_ajax_referer( 'clear_cache', 'check_nonce', false ) ) {
        echo $error;

    if ( ! check_admin_referer( 'clear_cache', 'check_nonce' ) ) {
        echo $error;

    if(file_exists($cache_file)) {
        if(unlink($cache_file)) {
            $result = $success;
        } else {
            $result = $error;
    } else {
        $result = $success;
    echo $result;
add_action('wp_ajax_clear_cache', 'clear_cache');

check_ajax_referer () checks the nonce value for Ajax communication. If the contents do not match, false is returned.

check_admin_referer () checks the nonce value for the management screen. It is used when implementing Ajax on WordPress management screen.

For the parameter, specify the value of the action used for Ajax communication and the name of the query variable storing the nonce.

There is also a function wp_verify_nonce () for normal http / https requests.


In WordPress, nonce has validity period, so it is not exactly one-time password, it can be said that it is less secure than this one. However, you can change the validity period setting.

For example, to change the validity period to 4 hours, define it as functions.php and so on as follows.

add_filter( 'nonce_life', function () { return 4 * HOUR_IN_SECONDS; } );

Leave a Reply