Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?

Among the functions in /wp-includes/pluggable.php are the functions wp_verify_nonce and wp_create_nonce. Both functions are very important in the protection against CSRF-attacks. However, it is easy to override these functions in a plugin so that all nonces are accepted as valid.

if( ! function_exists('wp_verify_nonce') ) {
  function wp_verify_nonce($nonce, $action = -1) {
    return 1;
  }
}

I have tested this, and indeed, CSRF protection is now disabled site-wide.
What’s the reason that these functions are put in the pluggable.php file if the security risks are so obvious?

Related posts

Leave a Reply

1 comment

  1. There is no security risk in a pluggable function: If someone installs a plugin that lowers the security it is his/her own fault. On the other hand, you can override the functions to make nonces more unique or to change their format.

    In a custom function wp_verify_nonce() you could use an optional third parameter or change the time a nonce expires.

    Nowadays pluggable functions aren’t introduced anymore. They are hard to debug, and you can do the same with filters usually. And then there’s as well the problem that you can’t ever be sure that no other plugin will redefine the pluggable function (again) after you redefined it.