All data entry forms, widgets, and the like should use nonce to verify that the actual form was used to enter the data ... and not just some random hacker trying to break your site.
|nonce||-||number used only once
Despite what the name says, a given nonce changes every 12 hours and is good for 24 hours
A nonce is a hash of the current time, user ID, and a string associated with some part of an application. The purpose is to reduce the probability of someone accessing your site and pretending to be someone else.
As usual, the online help is adequate, but not complete. This is the function definition (from functions.php) showing the available parameters. I suggest supplying a unique $name.
function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true )
if ( function_exists('wp_nonce_field') ) wp_nonce_field('lib-events-add_event', 'lib-events_nonce'); echo "\n<! end of wp_nonce_field >\n";
<input type="hidden" id="lib-events_nonce" name="lib-events_nonce" value="2453635ba4" /> <input type="hidden" name="_wp_http_referer" value="/graphics-lib/wp-admin/post.php?action=edit&post=185&message=1" /> <! end of wp_nonce_field >
Validating the nonce is a bit tricky - be sure you have created it one edit cycle before you check it. (If you don't, you will get server error 500. As you can see in the function prototype (definition), $query_arg must be set to the same value as $name when the nonce was created (which is why the name must be unique).
function check_admin_referer($action = -1, $query_arg = '_wpnonce')
<form name="post" action="post.php" method="post" id="post"> <input type="hidden" id="_wpnonce" name="_wpnonce" value="ed48249d7f" /> <input type="hidden" name="_wp_http_referer" value="/graphics-lib/wp-admin/post.php?action=edit&post=185&message=1" />
On the other hand, it is possible for someone to try and hack a site by directly calling some php file (ie, without going through the normal post page). Therefore, it is still a good idea for each plugin to provide nonce security in addition to what WordPress already provides.
WordPress 2.0.3: Nonces - very good, but it does not mention the name parameter.