taya777link.REGISTER NOW GET FREE 888 PESOS REWARDS!

Why does WP not include coding for including nonces for inline scripts?

jamminjames — Thu, 26 Dec 2024 22:21:21 +0000

I’ve had to resort to using the CSP-ANTS&ST plugin to include nonces for inline scripts, however, it has not been updated. But something like this plugin should be standard with WordPress, I believe. It has been recommended for years that websites include nonces for scripts for CSP. And yet, WordPress provides nothing. Shouldn’t this be built in?

The CSP-ANTS&ST plugin seems to work very well, and it is very simple. Why can’t WP do something even better to help with this very basic security need?

Nonces to authorize inline scripts

jamminjames — Thu, 12 Dec 2024 22:16:37 +0000

In the plugin description, you say, “You can use hashes or nonces to authorize inline scripts.” Does that mean this plugin will help set that up, or is it just a general statement that people can do this?

WordPress really ought to set up nonces (or hashes) for all their inline scripts, and a system to use them. Do you know if that is in the works? Or if there is a plugin that will do this, if yours doesn’t?

If your plugin does help set up hashes or nonces to authorize inline scripts, please point me to instructions for getting this going.

Thanks!

Nonce verification broken again in ACF 6.3.10, but I have a fix

justinmaurerdotdev — Fri, 15 Nov 2024 20:17:42 +0000

In ACF 6.3.10, more changes were made to how AJAX requests are verified, which break acf-multiple-taxonomy‘s AJAX verification implementation.

If anyone comes here looking for a fix, I have submitted a PR that resolves the issue.

A 10 hour period for cache purging and nonce lifespan

Jack — Sat, 04 Mar 2023 18:40:07 +0000

Hello,

I was using Disk: Enhanced as the method for the page caching, and after around 24 hours I was getting nonce invalid issues. I cleared the cache and it returned to normal.

I’m assuming there might have been an issue where the cached page had expired nonces.

To help at this not happening I’ve placed this code inside a custom plugin of mine:

// Schedule the cache purge to run every 10 hours
add_action( 'wp', function() {
    if ( ! wp_next_scheduled( 'my_purge_w3tc_cache' ) ) {
        wp_schedule_event( time(), 'every_10_hours', 'my_purge_w3tc_cache' );
    }
} );

// Define the "every_10_hours" time interval
add_filter( 'cron_schedules', function( $schedules ) {
    $schedules['every_10_hours'] = array(
        'interval' => 36000, // 10 hours in seconds
        'display'  => __( 'Every 10 hours' ),
    );
    return $schedules;
} );

function my_purge_w3tc_cache() {
    if ( function_exists( 'w3tc_flush_all' ) ) {
        w3tc_flush_all();
    }
}

The code creates a cron job to purge the cache every 10 hours.

My question is, even using the regular cache lifespan built in the plugin, isn’t invalid nonces a matter of probability.

Lets say a nonce lasts 24 hours, with my 10 hour interval this scenario could occur:

Nonce |————————|————————|————————|
Purge |———-|———-|———-|———-|———-|———-|———-|

After the third purge, the cache will be left with the first generated nonce, but after less than 4 hours the nonce will no longer be valid and the cache will remain with the invalid nonce for another 6 hours or more.

What is the solution to this?

EDIT: Another option would be to purge the page and reload in case the user failed a nonce:

function wp_verify_nonce_failed_clean_cache($nonce, $action, $user, $token){

    global $post;
    $current_page_id = $post->ID;

	if($current_page_id && !$user->ID){
		w3tc_flush_post( $current_page_id );
		wp_redirect( get_permalink() );
		exit;
	}

}
add_action( 'wp_verify_nonce_failed', 'wp_verify_nonce_failed_clean_cache', 10, 4 );

Thank you.

WordPress nonces for not-logged-in users for security reason?

lolamax — Sat, 27 Nov 2021 07:59:53 +0000

I was reading the following article: https://konstantin.blog/2012/nonces-on-the-front-end-is-a-bad-idea/ which raises some questions. In the comments it’s told that:

One of the Automatticians at the VIP Developer Workshop told me that I should always (always) use a security nonce for ajax requests, even for not-logged-in users and requests that do not result in database or filesystem modification.

My theme uses an ajax modal login / registration form in the frontend, where a nonce verification is implemented for the registration process – but not for the login one. Does that really make sense?

Even wordpress does not use nonces for login / registration in wp-login.php. Woocommerce on the other hand does use nonces in the login / registration forms. This is really confusing – what is the best practice – the wordpress- or the woocommerce way? From a security point of view, does it make sense at all to use nonces for not-logged-in users in the login / registration process?

__litespeed_var_2__ is not defined

brateanu — Fri, 20 Aug 2021 07:41:39 +0000

Hi,

Three days ago I discovered that the ESI it’s not properly working, even I have untouched the ESI nonces added in the plugin 6 months ago.

ESI nonces:
load_more_posts private
load_more_clienti private

I have int he console the following error:
Uncaught ReferenceError: __litespeed_var_2__ is not defined
and also for above mentioned ESI nonces I have 403 errors for the admin ajax calls.

Nonce management?

Ambyomoron — Mon, 22 Mar 2021 10:55:59 +0000

I note that the database table ‘seasp_site_settings’ contains a column called ‘nonce_enabled’. I don’t see where the plugin manages nonces. For what purpose does this column serve?

It was working and now… Couldn′t verify submission – try reloading

amyhall — Wed, 04 Nov 2020 05:23:55 +0000

The plugin was working but suddenly in the popup if you try to subscribe the message appears on the button “Couldn′t verify submission – try reloading”.

I did some Googleing and saw that it could be a nonce/caching issue. We’re using WPRocket on this site. But I’m unclear how to exclude the form/Optin Cat from nonces.

What steps do I need to take to fix this?

Helpful ‘s Nonces Validity

aayanrocks15 — Thu, 23 Jul 2020 15:05:15 +0000

I am using Wp-Rocket and Cloudflare’s HTML caching to speed up my TTFB.

I have been using Helpful for 1 day now and received several useful feedback from my site’s visitor.

However, I also noticed that Helpful stops working after a few hours. After some digging, I found that Helpful needs new Nonces once the previous one is expired, I can be wrong about this.

According to this link, WordPress nonce is valid for 24 hours by default but unsure whether Helpful has set a different validity for the nonce.

Can you tell me what nonce validity Helpful follows so that I can change the TTL of Wp-Rocket and Cloudflare’s cache?

nonces and forbidden error

ofer — Mon, 29 Jun 2020 15:29:23 +0000

My page displays a prohibited error due to invalidation of the nonce code.
I got in touch with my wp-rocket cache plugin and was told that: you can contact the developer of Rate-my-Post-WP-Rating plugin to support caching via AJAX-ed via a JS.