WordPress check_ajax_referer Example: Verify AJAX Nonces Correctly

Last reviewed: May 6, 2026

WordPress AJAX handlers are a common place for rushed security. Teams wire the front end, accept a nonce in JavaScript, and assume the server path is now protected. check_ajax_referer() is the right verifier for WordPress AJAX requests, but the helper only checks request intent. It does not replace authorization.

This guide shows how to verify an AJAX nonce correctly and how to keep that check separate from capability enforcement.

Verify the nonce at the top of the AJAX handler

<?php
add_action( 'wp_ajax_vulnwp_save_note', 'vulnwp_save_note_ajax' );

function vulnwp_save_note_ajax() {
	check_ajax_referer( 'vulnwp_save_note', 'nonce' );

	if ( ! current_user_can( 'edit_posts' ) ) {
		wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );
	}

	$note = isset( $_POST['note'] )
		? sanitize_textarea_field( wp_unslash( $_POST['note'] ) )
		: '';

	wp_send_json_success( array( 'note' => $note ) );
}

The helper should run early, before the handler performs its real work.

Keep nonce verification and authorization separate

The WordPress reference is explicit on this point: nonces should never be relied on for authentication, authorization, or access control. A valid nonce proves the request shape is expected. It does not prove the current user should be allowed to do the action.

Use a named request key when the client sends one

If the front end posts the nonce under a specific field like nonce or security, pass that second argument explicitly. That makes the handler easier to read and less dependent on default fallback lookup behavior.

Fail clearly when the request is invalid

For most AJAX handlers, the default early stop is fine. The important part is that failure should be expected and tested, not treated like an impossible path.

Common mistakes

• Skipping the capability check after nonce verification. This is the most important mistake.
• Using vague action strings. The nonce action should be specific to the request.
• Reading raw $_POST values after the nonce check. Input still needs normalization and sanitization.
• Assuming the failure path never matters. Attackers and broken clients both exercise it.

Production checklist

• Call check_ajax_referer() near the top of the handler.
• Use a specific action string and request key.
• Run current_user_can() separately for authorization.
• Normalize and sanitize request input after verification.
• Test both success and failure responses.

Related reading

Pair this with the nonce guide for the broader CSRF model, and with the admin AJAX article when the handler belongs to a richer logged-in workflow.

References and further reading

• WordPress Code Reference: check_ajax_referer()
• WordPress Code Reference: current_user_can()
• WordPress Code Reference: wp_send_json_success()