"nonce" is the "number used once" - the code that WP uses to make sure that the POST data comes from a safe place. This is useful to ensure that your plugin has not completed digesting data from an unsafe source (see Cross-Site Search Request Routine ).
This Mark Jaquith blog post is helpful for understanding them.
[nonces] are unique for installing WordPress, a WordPress user, an action, an action object, and an action time (24-hour window). This means that if any of these changes changes, the nonce value is invalid. Therefore, if you (in some way) intercept the non used by me, you must first have only 24 hours to use this key to try to trick me.
To create nonce, you must specify wp_create_nonce specific string, providing a "context" for nonce. This returns you a string - nonce itself. Then you include this nonce as part of your POST request. Then the receiving page should create its own nonce using the same context and see if they match.
In this case, the specified context is plugin_basename(__FILE__) . This will generate the same string whenever it is called from the same plugin (see here ).
When your wp_verify_nonce gets unce, created under the same circumstances as Mark, with the same context string, it returns true.
In short:
!wp_verify_nonce
returns true if wp_verify_nonce returns false.
($_POST[$meta_box['name'].'_noncename'],
wp_verify_nonce first argument: nonce check. This code receives nonce from the mail request stored in global $ _POST.
plugin_basename(__FILE__) )
The second argument is wp_verify_nonce : the context for generating a new nonce, with which the first will be checked.
{ return $post_id; }
If nonce does not match, terminate the current function by returning the variable $post_id .