Nonces and WordPress

published Jun 02, 2006, last modified Jun 26, 2013

What is all this Nonce-sense? - Asymptomatic gives us a quick introduction on nonces.

Nonces alone sound very stupid to me. Instead of having implemented nonces alone, what the WP team should have been doing all along is obvious: every action that is not idempotent should be done through POST . Technically, it's quite simple. Programmatically, it's harder to do than GET s. But surely coding GET s + nonces must be much harder than simply coding POST s.

No one is discussing how useful nonces are. They are useful. But in the context of the greater picture, they're used to avoid WP admins from being tricked -- which is exactly why POST s should be used as well. Sure, POSTs alone don't buy us a whole lotta security. But they surely do buy us some.

(Please don't tell me I haven't read the whole thread. The fact that nonces were introduced does not contradict one iota the fact that POST s should be used for destructive operations, and that's it.)
Update: to visitors from the #wordpress channel: I updated the article, correcting statements of fact. I'm very glad to see that you're receptive to the POST idea. It's no surprise that it has been floated before as an issue.