Security with get_nonce? | WordPress.org

agiledigitalsolutions
(@agiledigitalsolutions)

5 years ago

I’ve just started using this plugin as I want to be able to register user accounts from a third party system.

As I understand it, I call /api/get_nonce/?controller=user&method=register to get a nonce and then /api/user/register/?nonce=12345&username…… etc to create a user.

How secure is this? If I’m able to retrieve a nonce and then use it to create a user, where is the layer of security to stop a hacker doing the same thing?

Sorry if I’ve misunderstood or missed something, but the nonce almost seems irrelevant unless there is another layer of security I need to include?

Viewing 3 replies - 1 through 3 (of 3 total)

zack12028
(@zack12028)

5 years ago

I believe Nonce is randomly one time use token that allows registering, the nonce is sent over a https request, the link to it should be hard to access. However, you are right if hacker can find your nonce link then… rip

zack12028
(@zack12028)

5 years ago

you need to change the name from /api/get_nonce, which i believe is the default to something like /api/oahsd1uk12u31uk2g34y2jfv312h3bl1k2j3bj1243v1;3io45h34lk6jnb568jj7…………………………………………….. like make it 200 characters and call it a day, The security on the app should block recursive bad calls from the same IP address

zack12028
(@zack12028)

5 years ago

Im sorry, edit, You cant change the /get_nonce but you can change the /api so something like /aosidhjasoudhaslkd1231241972y4129812b3hkj12312j3h12k3hgv124ljk2……./get_nonce. again, 200 characters.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security with get_nonce?’ is closed to new replies.

3 replies
2 participants
Last reply from: zack12028
Last activity: 5 years ago
Status: not resolved