What is a nonce?
In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
Wikipedia
Table of Contents
What if I tell you that WordPress nonce is not a nonce?
Like some other things (I’m looking at you, cron jobs), nonces in WordPress are not the real nonces.
Unlike traditional nonces, WordPress nonces can be used multiple times within their limited lifetime, and their default lifetime is anywhere between 12 hours plus 1 second and 24 hours. To measure the nonce lifespan, WordPress uses 12-hour periods since the Unix epoch (1 January 1970). Each period is “a tick”, and each nonce has two ticks to rock the world.
The function that validates the nonce, wp_verify_nonce(), will return this tick number:
- 1 for the first 12h of nonce’s life
- 2 for the second 12h of nonce’s life
- false for the nonce that’s not valid any more.
The nonce will live a total of 24 hours only if it’s created at the very beginning of the tick. However, if it’s created at the very end of the tick, it can live just a second longer than 12 hours.