I have browse the reference of the function using blogging platforms however i still do not understand what this function does indeed.

I am reading through a tutorial about producing a meta box in wordpress and that i have this code within the function which saves the information:

if ( !wp_verify_nonce( $_POST[$meta_box['name'].'_noncename'], plugin_basename(__FILE__) )) {
                return $post_id;

Can someone explain briefly what's the concept of wordpress_verify_nonce() ?

The nonce is really a 'number used once' - a code that Wordpress uses to make certain that Publish information is from a rut. This really is helpful to make certain that the wordpress plugin doesn't finish up processing data from a hazardous source (see Cross-Site Request Forgery).

This blog post by Mark Jaquith is helpful for understanding them.

[nonces] are unique towards the WordPress install, towards the WordPress user, towards the action, towards the object from the action, and also to time from the action (round-the-clock window). This means that if these things changes, the nonce is invalid. If you (in some way) intercept a nonce getting used by me, you'd, to begin with, have only 24 hrs to make use of this key to try to trick me.

To produce a nonce you have to give wp_create_nonce a particular string, supplying the 'context' for that nonce. It offers a superior back a string - the nonce itself. After this you include this nonce in your Publish request. The receiving page should then produce a nonce of their own, utilizing the same context, and find out when they complement.

Within this situation, the context given is plugin_basename(__FILE__). This can create the same string whenever it's known as from inside exactly the same wordpress plugin (see here).

Whenever your wp_verify_nonce recieves a nonce produced underneath the same conditions as per Mark, with similar context string, it returns true.

In a nutshell:


returns true if wordpress_verify_nonce returns false.


First argument to wp_verify_nonce: the nonce to check on. This code will get the nonce from the publish request, saved within the $_Publish global.

plugin_basename(__FILE__) )

Second argument to wp_verify_nonce: the context for producing the brand new nonce by which the very first is going to be checked.

{ return $post_id; }

When the nonce does not match, stop performing the present function, coming back the variable $post_id.