WordPress.org

Make WordPress Core

Opened 5 months ago

Last modified 3 months ago

#50510 new enhancement

Improve security of wp_nonce implementation

Reported by: chaoix Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: reporter-feedback
Focuses: Cc:

Description

The current wp_nonce implementation is a little out dated and should be improved. While nonces aren't security, a strong nonce implementation can provide some security against form field manipulation.

I have attached a mu-plugin I wrote to test a new nonce algorithm. I will convert it to a patch if there is interest in improving this in core. I have been running this mu-plugin on several high traffic sites I manage with no issues for over 6 months now.

Attachments (1)

secure-wp-nonces.php (3.2 KB) - added by chaoix 5 months ago.
Secure WP Nonces mu-plugin

Download all attachments as: .zip

Change History (4)

@chaoix
5 months ago

Secure WP Nonces mu-plugin

#1 @johnbillion
5 months ago

  • Component changed from General to Security
  • Keywords reporter-feedback added

Thanks for the ticket @chaoix.

Can you provide some information about the algorithm and the changes you've made from core's current implementation please? What aspects make it more secure? Do you have any test coverage? etc.

Thanks

#2 @knutsp
3 months ago

I have tested the attached plugin for a month on four sites. No issues observed, except that it reports undefined variable $value in line 40.

#3 @johnbillion
3 months ago

@chaoix Any update on the above? This is a mystery change without more information from you :-)

Note: See TracTickets for help on using tickets.