WordPress nonces for not-logged-in users for security reason?

  • I was reading the following article: https://konstantin.blog/2012/nonces-on-the-front-end-is-a-bad-idea/ which raises some questions. In the comments it’s told that:

    One of the Automatticians at the VIP Developer Workshop told me that I should always (always) use a security nonce for ajax requests, even for not-logged-in users and requests that do not result in database or filesystem modification.

    My theme uses an ajax modal login / registration form in the frontend, where a nonce verification is implemented for the registration process – but not for the login one. Does that really make sense?

    Even wordpress does not use nonces for login / registration in wp-login.php. Woocommerce on the other hand does use nonces in the login / registration forms. This is really confusing – what is the best practice – the wordpress- or the woocommerce way? From a security point of view, does it make sense at all to use nonces for not-logged-in users in the login / registration process?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator bcworkz

    (@bcworkz)

    There are few absolutes in security. A trade off between difficulty and benefits gained. It’s “better” to use a nonce to help ensure the data is coming from your own form. In some cases the security gained would be so minimal that it wouldn’t matter much. If you make the effort anyway, there’s no harm in it. Rather than following “rules” you read here and there, it’s better to actually understand the security implications and consequences and act accordingly to a specific situation. Granted, easier said than done. Security is an ever evolving topic. Lacking such understanding, better safe than sorry is a reasonable approach.

    Thread Starter lolamax

    (@lolamax)

    Thank you for the reply. I understand that there are few absolutes in security and my intention to ask this question is to learn to understand the security implications and consequences. Just to understand better: What is the reason, that wordpress does not use nonces in the login / registration and comment form?

    Moderator bcworkz

    (@bcworkz)

    Fair question. I wish I knew for sure. If someone has any insight I hope they’ll contribute an answer. I can only assume the devs felt the security implications were not important enough in those particular situations. Note that there are cookie values passed that are very nonce-like. I don’t know if these are verified or not. If so, they could serve the same intent as a nonce.

    Thread Starter lolamax

    (@lolamax)

    Regarding the cookie values you mentioned: I do not see any cookies (except wordpress_test_cookie) on the wp-login.php pages, when user is not-logged-in. Or am I wrong?

    Moderator bcworkz

    (@bcworkz)

    You’re right, nm. What I saw turns out to be a WooCommerce cookie. So without any kind of security token one could login from elsewhere without using the form. It can make brute force attacks easier to accomplish. I suppose we’re simply relying on users using good strong passwords for security.

    WP core does tend to leave more aggressive security measures to plugin devs, such as nonces and limiting login attempts.

    I cannt topic to share, cannt helps me

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WordPress nonces for not-logged-in users for security reason?’ is closed to new replies.

Tags