wp_verify_nonce() is a WordPress function that is used to verify that a nonce (number used once) is valid. It takes two parameters: the nonce value and the action that the nonce is associated with. If the nonce is valid, the function returns true; otherwise, it returns false.
wp_nonce_url() is a function that creates a nonce and appends it to a URL as a query string. It takes two parameters: the URL and the action that the nonce is associated with.
If wp_verify_nonce() is always returning false when using a nonce created via wp_nonce_url(), the most likely cause is that the action passed to wp_verify_nonce() does not match the action passed to wp_nonce_url().
Another cause could be that the nonce is already expired, WordPress nonce have a lifespan of 24 hours, after that they will be invalid.
It is also possible that the nonce may have been tampered with or modified in some way, which would cause it to no longer be valid.
To fix this issue, you should make sure that the action passed to wp_verify_nonce() matches the action passed to wp_nonce_url(). Also, you should check if the nonce is still valid, if not create a new one.
Here is an example:
$url = wp_nonce_url( 'http://your-site.com/some-page', 'some_action' ); $result = wp_verify_nonce( $_REQUEST['_wpnonce'], 'some_action' );
In this example, the action passed to wp_nonce_url() is “some_action”, and the action passed to wp_verify_nonce() is also “some_action”.
It is also recommended to check for the nonce in the URL first before using it in verify_nonce function, as the nonce could have been tampered with or modified.
Last modified: January 18, 2023