A WordPress nonce is a “number used once” security token to protect URLs and forms from malicious attacks.
It helps WordPress to determine whether a request is valid, preventing unauthorized actions and inputs.
General request in WP without nonce
http://yourwebsite.com/wp-admin/post.php?post=123&action=trash The problem is that a CSRF(Cross-site request forgery) attack can easily disguise this request link Nonces prevent CSRF attacks by adding an extra layer of protection to the URL. http://yourwebsite.com/wp-admin/post.php?post=123&action=trash&_wpnonce=b192fc4204 WordPress nonces are also specifically generated for every session, meaning their value will no longer be valid once a user logs in or out of the page. If you try to go to that URL without having the correct nonce generated by WordPress, you will see a 403 Forbidden accompanied with the “Are you sure you want to do this?” error message. More details here. Also when you want to create a new post or page using Rest API of WordPress, you need to pass Nonce as SetHeaderRequest else you will get an authentication error. Also checking this quickly using Postman you can watch this video.