Nonce is used for security purposes to protect against unexpected or duplicate requests that could cause undesired permanent or irreversible changes to the web site and particularly to its database. Specifically, a nonce is an one-time token generated by a web site to identify future requests to that web site. When a request is submitted, the web site verifies if a previously generated nonce expected for this particular kind of request was sent along and decides whether the request can be safely processed, or an notice of failure should be returned. This could prevent unwanted repeated, expired or malicious requests from being processed.
Nonce is usually included in a hidden HTML form field or as a part of an URL and therefore sent with a request by submitting a form field or visiting a link. If a request is not verified, the web site could generate a new nonce in its response and prompt the user to intentionally confirm the repetition of the request. In WordPress, the response message is "Are you sure you want to do this?" by default.
- Related articles: WordPress Nonces