WordPress: Are you sure you want to do this?

While writing a plug-in for WordPress recently I came across a very strange error message:

Are you sure you want to do this?

Now my initial reaction was “Well yes, I do want to do this!”. Unfortunately that wasn’t an option. It just told me to try again… same message… ad nauseam. What I was actually trying to do was pass some form information from the plug-in dashboard panel to the plug-in tables in the database.

After searching the web for a while and not having much luck I decided to ‘view source’ on the Quickpress widget which was doing a similar function. I noticed these two hidden inputs:

1
2
<input type="hidden" id="_wpnonce" name="_wpnonce" value=" " />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/" />

After a brief search in google about ‘Cryptographic nonce‘ it occurred to me that’s what was missing. A vital security feature that WordPress uses to validate that the form information came from the current site rather than an external source. Very clever, but quite frustrating if you don’t know about it.

Adding the following to the form code fixed the issue.

1
2
3
4
5
$content = '<form name="formname" method="post" action="'.$url.'">';
if (function_exists('wp_nonce_field')){
    $content .= wp_nonce_field('hidden_input_name_here');
}
$content .= '...';

Simple when you know about it! The ‘wp_nonce_field‘ function is documented in the WordPress codex.

Update: Just to make it a bit clearer I added the code to the plug-in file that was generating my form. So for example:

1
2
3
4
5
6
7
8
<form name="our_form" method="post" action="http://oururl.com/action">
    <?php
        if (function_exists('wp_nonce_field')){
            $content .= wp_nonce_field('hidden_input_name_here');
        }
    ?>
    <!-- Other relevent code for the generated form -->
</form>

The hidden inputs are inserted into the form allowing WordPress to validate where the request came from.

vinayak on February 8 10 / 38 Permalink

Adding the following to the form code fixed the issue.

Adding the following to where?Which location?Which file?Where to add?
Simply saying adding the following to the form.Can you make it a bit more clear?

Matt on February 8 10 / 38 Permalink

Hi Vinayak,
I’ve added a slight update to the post which will hopefully make it a little clearer. It’s added to the plug-in file that is generating the form; it may be that you are receiving the error for a different reason. It isn’t the most helpful error message.

William on April 13 10 / 102 Permalink

And of course out in the non-geek community, the word ‘Nonce’ is a slang term for a pervert or sex-offender.

WP_Nonce, anyone?

Hmmm. For a second there I thought there must be a joker at WP writing code…

Elvis on July 10 10 / 190 Permalink

Hi,
In my case the issue was the specific plugin that one “Google Analytics 3 codes for WordPress”, when I disabled it, everything is back to normal.

I hope help someone

Luke Gedeon on February 25 11 / 55 Permalink

Thanks your note led me to the solution. In my case though I left out a hyphen in the hidden field and then checked for it when processing. :)

Looks like several plug-in got hit with similar problems.

Also, I think the message is intentionally cryptic to throw off people trying to work around the nonce.

Russ on May 15 11 / 134 Permalink

I spent hours trying to fix. Then contacted my host and they ran a permission check and fixed it.

Sam on June 21 11 / 171 Permalink

Hi this looks like what i am looking for for my widgets in wordpress, which wont let me save them for the message you refer to appearing.
But you do not mention the names of the files which should have these snippets inserted nor which line, so its pretty vague info should i put this in widgets.php??

Sam on June 21 11 / 171 Permalink

i quote “It’s added to the plug-in file that is generating the form”
this is your answer to somebody asking which file?
which file like this bro;
wp-admin/filename.php
i mean which is the plug-in file that is generating the form???
the name of the file please! stop assuming everyone knows what you talk about just because you do

Matt on June 21 11 / 171 Permalink

Hi Sam,
Thanks for the comment. You get this error when submitting a form that doesn’t have a NONCE input field attached to it. I assume you are writing a plug-in that has a form, so whatever file is generating that form, that’s where you add it. If it isn’t your plug-in that’s causing the error then I suggest contacting the original author for a fix. “Which file?” doesn’t really apply as it will be different in each case.

Shayne on January 16 12 / 15 Permalink

Thanks man. This saved my life.

Octav on April 21 12 / 111 Permalink

Wohoo :D

I found this post as I was searching for a solution for the same issue, but with a different cause.
I copy-pasted the nonce verification from an example, and forgot to change the nonce name and action. So, make sure you do :p

1
2
3
4
if ( !empty($_POST) && check_admin_referer('your-action','your-nonce') )
        {
            echo("processing form data");
        }

Funny :)

Gilbert on September 15 12 / 258 Permalink

I note this and fixed it right away. The fastest way to do this is by moving back one page. that is the page you were before the action and try performing the action again. Hope it works for you too.

Andrea on August 6 13 / 217 Permalink

Hi,

I am getting the same message (Are you sure you want to do this) when trying to add captcha fields to our “Contact Form 7″ plugin.

Does anyone have any idea which plugin file I need to update and how and what code exactly?

Thanks!
A.

Leave a Comment

Your email will not be published. Required fields are marked *.