How WordPress works with nonces

If you’re British, you probably just spat out your tea.

If you’re not, and know your WordPress, then this post title may seem perfectly innocent.

Because WordPress has a language problem.

So, for those still with drink in their mouths, let me explain. “Nonce” is British slang for a sexual predator. You’ll hear people referring to Prince Andrew as a nonce, for example, and not because he’s good at protecting WordPress forms.

In fact, thanks to this post, I’ve learnt that it’s worse because the meaning of the British definition means that it’s a homophobic slur.

WordPress makes use of the word “nonce” in a totally innocent way, though, as it means…

occurring, used, or made only once or for a special occasion


And that is exactly how WordPress makes use of that term.

The British variation of that word, though, has been in existence longer than WordPress has been around, though, so its very existence within the platform just shows that no checks were ever done in the early days. Or it was recognised and ignored. However, it’s been used for cryptographic purposes for some time, which is why WordPress make use of it.

(Thanks to Otto, all-round WordPress guru, who helped with some of the information in the previous paragraph)

But, now powering over 40% of the internet, WordPress is truly global, and we need to be thinking more deeply about how it’s presented in every country.

Is this a problem?

I don’t think anyone takes it seriously. But that, to me, is the biggest issue – it turns WordPress into a joke.

I could go on.

But, certainly if you’re writing in a professional capacity about the technical side of WordPress then making use of this word is… problematic, shall we say?

Even Wikipedia states…

In Britain the term may be avoided as “nonce” in modern British English means a paedophile

Cryptographic nonce – Wikipedia

What can we do

First of all, there’s less reason to use the word. Did you notice that the above Tweets were all around 2019/2020? In 2021, WordPress 5.8 was released which suppressed use of the word on user-facing errors (just like the ones above). Not coincidentally, I was the person who raised this with the core developers.

This doesn’t make the problem go away, as many plugins still make use of the word.

Longer term I’d like to see us changing the function names in WordPress too, leaving just redirects in place for the old terms, to ensure code doesn’t break.

That just leaves us with technical writing, as the term is still used in the code functions of WordPress. So, it can be unavoidable. However, I would recommend only using it when presenting actual code – otherwise, use a term such as “one time token”, or similar, to explain it. Early on, I’d explain it’s called a “nonce”, explain why that’s an unfortunate term, and then say what you’ll use to refer to it in the rest of the article. For example…

To protect against CSRF attacks, you can use something called a “nonce” in your code. This is an unfortunate term in British slang and, for this reason, we shall refer to this in the remainder of this article as a “one time token” (except where we need to present code examples, where the original term is required).

Trying to find the right words all the time for a truly international audience can be difficult, to say the least. But that doesn’t mean we shouldn’t try and, where necessary, course correct if we can.

Talk to me!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: