Spam form submissions are a constant challenge for WordPress websites. WS Form includes a powerful option to help protect against them: NONCE protection.
A WordPress NONCE (short for Number Used Once) is a security token that helps verify that a form submission came from your site and not from a malicious script. When enabled in WS Form > Settings > Spam Protection, a NONCE will automatically be added to all form submissions.
Learn more: NONCEs (developer.wordpress.org)
Why NONCEs Help Prevent Spam
- They ensure the submission originated from your website.
- They block attempts to submit data directly to the form endpoint without first loading the form page.
- They reduce the likelihood of automated spam bots successfully posting entries.
This makes NONCEs an effective additional layer of security alongside other WS Form spam protection features like reCAPTCHA, hCaptcha, Cloudflare Turnstile, keyword blocking, and IP throttling.
Important Consideration: Caching and NONCE Expiration
WordPress NONCEs are time-sensitive. By default, they expire after 12–24 hours depending on your site’s configuration. This helps keep them secure, but it also introduces a consideration for websites that use caching.
If a page with a form is cached for too long, the NONCE embedded in the form may go stale. That means when a user tries to submit the form, it will fail because the NONCE is no longer valid.
To avoid this problem:
- Keep your page cache lifetime to 10 hours or less when NONCEs are enabled.
- If your site uses aggressive caching (for example, full-page caching with CDNs), test your forms to ensure submissions work correctly.
- Remember that if a user is logged in, WS Form always enforces NONCE checks regardless of your setting. This is required to identify the user when submitting the form.
When to Use NONCE Protection
You should consider enabling NONCE protection if:
- Your site is experiencing spam form submissions that aren’t blocked by CAPTCHAs or other tools.
- You want to add another layer of verification to ensure only real form visits can lead to submissions.
You may wish to leave it disabled if:
- Your site relies on very long cache lifetimes (greater than 10 hours) and you want to avoid potential submission failures.
Conclusion
NONCEs in WS Form provide an extra safeguard against spam and malicious activity. They are easy to enable and can dramatically reduce unwanted submissions. Just keep in mind the relationship between NONCEs and page caching to ensure your visitors never run into expired tokens.