Finally, we want to add a layer of security to our plugin. We will use nonces similar to those in the Live Blogroll plugin.
Edit the
wp-wall-widget.php
file and add a nonce to the form usingwp_nonce_field:
<form action="<?php echo $wp_wall_plugin_url.'/wp-wall-ajax.php'; ?>" method="post" id="wallform"> <?php wp_nonce_field('wp-wall'); ?> <?php if ( $user_ID ) : ?>
Add the check for nonce in the
wp-wall-ajax.php
file:
if ($_POST['submit_wall_post']) { // security check check_ajax_referer('wp-wall'); $options = get_option('wp_wall');
Adding nonces is a sure way to secure our plugins against CSRF attacks.
We can use the wp_nonce_field()
function to automatically generate a nonce in forms. You can then use check_ajax_referer()
to check for nonce in the Ajax response script. The function will automatically abort the execution of the script if there is a security threat.