Disabling CSRF Checking for WP SMS Unsubscribe through URL

Updated on Apr 28, 2024

Introduction: The WP SMS plugin simplifies SMS newsletter management. To enhance user experience, it allows unsubscribing via a custom URL. Typically, the plugin employs CSRF checks for security. This guide outlines steps to disable CSRF checking, ensuring smooth unsubscribes without compromising security.


  • Active WordPress site with WP SMS plugin.
  • Access to WordPress admin dashboard.
  • Basic knowledge of WordPress and PHP.

Disabling CSRF Checking:

Step 1: Locate WP SMS Files Access your WordPress admin dashboard and navigate to the theme or plugin editor. Find the file handling WP SMS functionalities.

Step 2: Add the Filter Within the chosen file, insert the filter:

add_filter('wpsms_unsubscribe_csrf_enabled', '__return_false');

This filter deactivates CSRF checks, enabling unrestricted unsubscribes.

Step 3: Implementation Explanation The added filter negates CSRF checks during unsubscribe attempts via URL. The original code verifies nonces, denying access if verification fails.

Step 4: Save Changes and Test After adding the filter, save the file. Test the unsubscribe functionality using the custom URL (e.g., https://site.com/?wpsms_unsubscribe=1xxxxxxxxxxx). Users should now unsubscribe seamlessly.

Conclusion: By following these steps and implementing the provided filter, CSRF checks for WP SMS unsubscribes are disabled. Prioritize website security while enhancing user experience. For further inquiries or assistance, reach out.