diff --git a/wp-admin/ms-delete-site.php b/wp-admin/ms-delete-site.php
index 8b26b0b6a3..2ae22339b7 100644
--- a/wp-admin/ms-delete-site.php
+++ b/wp-admin/ms-delete-site.php
@@ -34,6 +34,8 @@ screen_icon();
 echo '<h2>' . esc_html( $title ) . '</h2>';
 
 if ( isset( $_POST['action'] ) && $_POST['action'] == 'deleteblog' && isset( $_POST['confirmdelete'] ) && $_POST['confirmdelete'] == '1' ) {
+	check_admin_referer( 'delete-blog' );
+
 	$hash = wp_generate_password( 20, false );
 	update_option( 'delete_blog_hash', $hash );
 
@@ -68,11 +70,12 @@ Webmaster
 	<p><?php _e( 'Remember, once deleted your site cannot be restored.' ) ?></p>
 
 	<form method="post" name="deletedirect">
+		<?php wp_nonce_field( 'delete-blog' ) ?>
 		<input type="hidden" name="action" value="deleteblog" />
 		<p><input id="confirmdelete" type="checkbox" name="confirmdelete" value="1" /> <label for="confirmdelete"><strong><?php printf( __( "I'm sure I want to permanently disable my site, and I am aware I can never get it back or use %s again." ), is_subdomain_install() ? $current_blog->domain : $current_blog->domain . $current_blog->path ); ?></strong></label></p>
 		<?php submit_button( __( 'Delete My Site Permanently' ) ); ?>
 	</form>
-	<?php
+ 	<?php
 }
 echo '</div>';