Retrieves or displays the nonce hidden form field.

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else. A nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce fields in forms.

The $action and $name arguments are optional, but if you want to have a better security, it is strongly suggested to give those two arguments. It is easier to just call the function without any arguments, because the nonce security method does not require them, but since crackers know what the default is, it will not be difficult for them to find a way around your nonce and cause damage.

The nonce field name will be whatever $name value you gave, and the field value will be the value created using the wp_create_nonce() function.

wp_nonce_field() 描述


<?php wp_nonce_field$action$name$referer$echo ?>

wp_nonce_field() 用法



(string) (可选) Action name. Should give the context to what is taking place. Optional but recommended.

默认值: -1


(string) (可选) Nonce name. This is the name of the nonce hidden form field to be created. Once the form is submitted, you can access the generated nonce via $_POST[$name].

默认值: '_wpnonce'


(boolean) (可选) Whether also the referer hidden form field should be created with the wp_referer_field() function.

默认值: true


(boolean) (可选) Whether to display or return the nonce hidden form field, and also the referer hidden form field if the $referer argument is set to true.

默认值: true

wp_nonce_field() 参数



The nonce hidden form field, optionally followed by the referer hidden form field if the $referer argument is set to true.

wp_nonce_field() 返回值


While less secure than the examples that follow, this is the simplest implementation which omits all arguments. In your form add the following:

It's better to name your action and nonce in your form. Enter values for the first and second arguments to print the necessary hidden field:

Then in the page where it is being submitted to, you may verify it using the wp_verify_nonce() function. Notice that you have to manually retrieve the nonce (from the $_POST array in this example), and the name of the action is the 2nd parameter instead of the first:

If you are submitting and processing the form inside the WP administration area, you may verify the nonce using the check_admin_referer() function:

wp_nonce_field() 示例


  • 添加于 版本: 2.0.4

wp_nonce_field() 历史


wp_nonce_field() 函数的代码位于 wp-includes/functions.php.

wp_nonce_field() 源文件