I know that the REST API is a huge topic of conversation in WordPress right now, and rightfully so, but there are still times in which we have to use admin-ajax (as its coming to be known) for a variety of reasons.
- Perhaps it’s an application,
- Perhaps time doesn’t allow for creating the necessary endpoints,
- Perhaps you’re more comfortable with admin-ajax,
- And so on.
Regardless of your reasons for why you use it (which I still do, for whatever that’s work), I think it’s important to make sure we’re sending secure Ajax requests in WordPress using nonces just as you would if you were submitting traditional form data.
If you search the web for results on how to do that, you’ll come up with a variety of answers, and this will be just another drop in the proverbial bucket.
But if you’re curious for a recipe for how to handle it, this is how I do it each time.