WordPress Authorization & Intent Check

Securing WordPress: Verifying Authorization and Intent

In a recent blog post WordFence published they explained the importance of verifying both, the authorization and intent when writing functions that do important work, or any work for that ...

By Valik Rudd

In a recent blog post WordFence published they explained the importance of verifying both, the authorization and intent when writing functions that do important work, or any work for that matter that is not publicly available.

I wanted to summarize what they wrote in this post for reference and future quick access.

The Problem – Bad Actors Accessing And Running Scripts

When an action is open wide, an actor can access it through an ajax call or some other injection and perform things like delete all users without the script checking to make sure if they are allowed to make such a operation and if the action was the user’s intention.

The Solution – Verify Authentication And Intent

There are 2 steps to the solution that will insure that these actions are protected from actors that intend to do harm.

The first one is to check for authorization. This is done through the current_user_can() method. This will check if the logged in user is allowed to perform the action that is in this category of access level.

The method current_user_can(‘manage_options’) uses the “manage_options” access level which is commonly used for admin level operations. Any admin-level operations can be protected by this check like this:

functions.php

function delete_all_users() {
   if(current_user_can('manage_options')) {
      delete_all_customer();
   }
}
add_action('wp_ajax_delete_customers', 'delete_all_users');

The second check is to verify that the request came from an authorized page using a nonce. A nonce is a code that gets passed along with a request to prove it is coming from a trusted page.

functions.php

function delete_all_users() {
   if( wp_verify_nonce( $_POST['the_nonce'], 'my-nonce') && current_user_can('manage_options')) {
      delete_all_customer();
   }
}
add_action('wp_ajax_delete_customers', 'delete_all_users');

You will notice that I am doing both checks in the above code. It is critical to do both in order to prevent sneaky attackers. A nonce alone can be accidentally disclosed in the code and if the attackers have it they would be able to run the code. If they can fool an admin level user to click on a malicious link, without a nonce check, they would be able to run the code. This is why it is critical to check both.

Leave a Comment