Nonces are not stored directly anywhere, they are created using the function wp_create_nonce and validated using the wp_verify_nonce.

Those functions in turn use wp_hash to hash together a lifespan, a custom string, the user_id and the session token stored in wp_usermeta with the key session_tokens.

Nonces are one-time tokens generated by WordPress to validate various requests, such as adding a comment, deleting a post, removing a user, etc.

They're not stored anywhere, nor do they need to be.

Take the following example; when managing content in WordPress, the Bin link may look something like this:

http://www.example.com/wp-admin/post.php?post=1337&action=trash&_wpnonce=369f188682

However, if you were to try and change the ID of the page/post in the URL to something else (see below), the nonce would no longer be valid, return a 403 error, and display: "Are you sure you want to do this?"

http://www.example.com/wp-admin/post.php?post=9100&action=trash&_wpnonce=369f188682

Adding a hidden _nonce field (take Contact Form 7 as a prime example) is generally good practice when implementing forms into WordPress, as it prevents Cross-Site Request Forgery (CSRF), etc.

Resources:

• WordPress Nonces
• Nonce
• Cross-Site Request Forgery

I posted this question 11 months ago.

All the answers that I received were great and helped me a lot.

But none of them addressed the storage location of WordPress nonces. That's what my real question was.

So, I dug up WordPress source code and was able to find the correct storage location of WordPress nonces.

They are stored in user sessions.

They are unique tokens stored in user's session. Nonces have a defined life span.

If the user logs out of WordPress, the nonces will no longer be valid.

PS: I asked this question and now I am posting this answer to help others :)