What is all this Nonce-sense? - Asymptomatic gives us a quick introduction on nonces.
Nonces alone sound very stupid to me. Instead of having implemented nonces alone, what the WP team should have been doing all along is obvious: every action that is not idempotent should be done through
POST. Technically, it's quite simple. Programmatically, it's harder to do than
GETs. But surely coding
GETs + nonces must be much harder than simply coding
No one is discussing how useful nonces are. They are useful. But in the context of the greater picture, they're used to avoid WP admins from being tricked -- which is exactly why
POSTs should be used as well. Sure, POSTs alone don't buy us a whole lotta security. But they surely do buy us some.
(Please don't tell me I haven't read the whole thread. The fact that nonces were introduced does not contradict one iota the fact that
POSTs should be used for destructive operations, and that's it.)