PHPackages riccardooliva91/wp-customize-nonce - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. riccardooliva91/wp-customize-nonce ActiveWordpress-plugin[Security](/categories/security) riccardooliva91/wp-customize-nonce ================================== A WordPress plugin which allows you to customize the nonce generation and validation. 1.0.0(5y ago)15.9k↓50%1MITPHPPHP >=7.1 Since Apr 16Pushed 5y ago2 watchersCompare [ Source](https://github.com/riccardooliva91/wp-customize-nonce)[ Packagist](https://packagist.org/packages/riccardooliva91/wp-customize-nonce)[ RSS](/packages/riccardooliva91-wp-customize-nonce/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (1)Dependencies (2)Versions (2)Used By (0) WP Customize Nonce ================== [](#wp-customize-nonce) A WordPress plugin which allows you to customize the nonce generation and validation, sticking close to the original structure defined in the core. This plugin replaces the pluggable functions `wp_create_nonce` and `wp_verify_nonce`, and it is completely configurable by defining constants. Read more for details. Requirements ------------ [](#requirements) - **PHP**: >= 7.1; - **WP**: >= 4.0.0 Installation ------------ [](#installation) Right now it is not available in the official WP plugins repository. At the current stage the preferred method to install this plugin is **via [Composer](https://getcomposer.org/)**: ``` composer require riccardooliva91/wp-customize-nonce ``` If you are using some WP boilerplate (such as [Bedrock](https://roots.io/bedrock/)) you should launch this command in your root folder, and the autoloader will do the rest. In case you are cloning this repository manually instead, be sure to make Composer generate the autoloader for you in the plugin's folder: ``` cd wordpress-customize-nonce composer install --no-dev ``` Configuration ------------- [](#configuration) This plugin's functionalities are entirely managed by defining constants. The two main "chunks" of the nonces you'll get to customize are the **UID** and the **session token**, both of which have their own sets of constants. The preferred location to define them is the `wp-config.php` file. ### Generation strategy [](#generation-strategy) The `WCN_UID_METHOD` and `WCN_TOKEN_METHOD` define the generation strategy for both the UID and the session token: ``` define( 'WCN_UID_METHOD', 'default' ); define( 'WCN_TOKEN_METHOD', 'default' ); ``` Please note that **the UID and token generation strategies** are not tied together, they can of course be generated and validated with different strategies. There are different possible values, some of them require the definition of an additional constant: - `default`: default WP behaviour; - `ip`: uses the `HTTP_X_REAL_IP` value in the `$_SERVER` global; - `none`: skips this chunk in both the nonce generation and validation; - `url_param`: uses a **GET** parameter of your choice for both the generation and validation. - If you choose this approach, be sure to define the `WCN_UID_URL_PARAMETER_NAME` or `WCN_TOKEN_URL_PARAMETER_NAME` based on your needs: ``` define( 'WCN_UID_URL_PARAMETER_NAME', 'param_name' ); define( 'WCN_TOKEN_URL_PARAMETER_NAME', 'param_name' ); ``` - `cookie`: uses a cookie value for both the generation and validation. - If you choose this approach, be sure to define the `WCN_UID_COOKIE_NAME` or `WCN_TOKEN_COOKIE_NAME` based on your needs: ``` define( 'WCN_UID_COOKIE_NAME', 'cookie_name' ); define( 'WCN_TOKEN_COOKIE_NAME', 'cookie_name' ); ``` - `fixed`: uses a fixed value of your choice. - If you choose this approach, be sure to define the `WCN_UID` or `WCN_TOKEN` based on your needs: ``` define( 'WCN_UID', 'my_value' ); define( 'WCN_TOKEN', 'my_value' ); ``` Setting those constant as `null` will have the same result as the `none` approach. ### Optional customizations [](#optional-customizations) There is a set of constants which you can define if you want to dig deep into the customization process. None of this is mandatory. ### Validate older nonces [](#validate-older-nonces) By default, WordPress validates nonces up to 24 hours (customizable as stated [in the Codex](https://codex.wordpress.org/WordPress_Nonces)). If a nonce is up to 12 hours old, `wp_verify_nonce` will return `1`, and it will return `2` if the nonce is between 12 and 24 hours old. If you wish so, you can disable the validation of nonces ot "type `2`" by defining the following constant: ``` define( 'WCN_VALIDATE_OLD_NONCES', false ); ``` ### Change the nonce schema [](#change-the-nonce-schema) By default, WordPress hashes the string that will be used as nonce with the `NONCE_KEY` defined in `wp-config.php`. If you defined one your own, or for some reason you want to use another one, you can do so by defining: ``` define( 'WCN_NONCE_SCHEMA', 'your_schema_name' ); ``` Please note that the schema name shoult be just that (e.g. `auth`) and the `_KEY` or `_SCHEMA` suffixes are not needed, as WP will fill them itself. Again, it is mandatory that the salt is **defined alongside the others in `wp-config.php`**. ### Nonce length [](#nonce-length) By default, WordPress trims the generated string: ``` substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); // note substr() offset and length ``` You can customize that like this: ``` define( 'WCN_NONCE_OFFSET', 0 ); // Default: -12 define( 'WCN_NONCE_LENGTH', 20 ); // Default: 10 ``` ### Health Score 28 — LowBetter than 54% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity24 Limited adoption so far Community9 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1851d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/e9b7724d8997879f7730c95b11f51730963d2e21f6097ce62c23929fd68d5c5a?d=identicon)[riccardooliva](/maintainers/riccardooliva) --- Top Contributors [![riccardooliva91](https://avatars.githubusercontent.com/u/47790079?v=4)](https://github.com/riccardooliva91 "riccardooliva91 (11 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/riccardooliva91-wp-customize-nonce/health.svg) ``` [![Health](https://phpackages.com/badges/riccardooliva91-wp-customize-nonce/health.svg)](https://phpackages.com/packages/riccardooliva91-wp-customize-nonce) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)