diff --git a/src/Modules/Login.php b/src/Modules/Login.php
index e1e9f16f..06ba26ab 100644
--- a/src/Modules/Login.php
+++ b/src/Modules/Login.php
@@ -139,10 +139,12 @@ public function authenticate( $user = null ) {
 			return $user;
 		}
 
-		if ( empty( $decoded_state['nonce'] ) || ! wp_verify_nonce( $decoded_state['nonce'], 'login_with_google' ) ) {
+		if ( empty( $decoded_state['nonce'] ) || ! get_transient( 'rtcamp_google_oauth_state_' . $decoded_state['nonce'] ) ) {
 			return $user;
 		}
 
+		delete_transient( 'rtcamp_google_oauth_state_' . $decoded_state['nonce'] ); // One-time use only.
+
 		try {
 			$this->gh_client->set_access_token( $code );
 			$user = $this->gh_client->user();
diff --git a/src/Utils/GoogleClient.php b/src/Utils/GoogleClient.php
index ecb09865..7dbab32d 100644
--- a/src/Utils/GoogleClient.php
+++ b/src/Utils/GoogleClient.php
@@ -244,10 +244,19 @@ public function user(): \stdClass {
 	 * @return string
 	 */
 	public function state(): string {
-		$state_data['nonce']    = wp_create_nonce( 'login_with_google' );
+		$state_data = [];
+
+		$state_data['nonce']    = wp_generate_password( 32, false ); // Strong random token.
 		$state_data             = apply_filters( 'rtcamp.google_login_state', $state_data );
 		$state_data['provider'] = 'google';
 
+		// Store it in a transient keyed by the visitor.
+		set_transient(
+			'rtcamp_google_oauth_state_' . $state_data['nonce'],
+			1,
+			apply_filters( 'rtcamp.google_login_oauth_state_expiration', 15 * MINUTE_IN_SECONDS )
+		);
+
 		return base64_encode( wp_json_encode( $state_data ) );
 	}
 }