When running a WordPress website, you want to keep it secure so that your forms, content, data, and users are safe from attacks and other malicious activity. One way you can do that is by using nonces.
Nonces are one-time tokens designed to protect forms and URLs from certain types of misuse, like Cross-Site Request Forgery (CSRF). Basically, a nonce is generated for a given user in a given context so that it’s unique to not only the WordPress install and user, but to the action, the object of the action, and the time of the action.
So let’s say a user opens a post to edit in their WordPress dashboard, then decides to delete it. When submitting the request to delete it, WordPress will verify if a previously generated nonce expected for this exact WordPress install, user, purpose, post, and time period was sent along. It will then decide if the user’s request can be safely processed. If it can’t, then it will return an error message.
This error mechanism is designed to prevent repeated, expired, malicious, or otherwise unwanted submissions and requests from being processed on your WordPress website — but it can also prevent real users from submitting forms or completing other actions on your site.
In this post, we’ll take a closer look at what a nonce error is and why it occurs, then walk through the different ways you can fix it.
While a nonce stands for a “number used once,” WordPress nonces can actually be used more than once by the same user — as long as it’s within the nonce’s limited lifetime. After that period of time, the nonce will be considered invalid. In WordPress, the default lifetime of a nonce is one day.
Remember that a nonce will also be considered invalid if the WordPress install, user, action, or object of the action is changed.
If your WordPress website determines that the nonce is invalid and the request cannot be safely processed, it will deliver an error message that looks something like this:
What causes a nonce error?
A nonce error is caused when a user makes a request without having the correct nonce generated by WordPress and given to the user. A user might be trying to complete the following actions:
- publish a new post or page
- upload a plugin
- upload a theme
- upload a video or other media files
- create a user
- delete posts or pages
- create tags and categories
For example, let’s say you implement nonces on your site Then WordPress will add nonce keys to the end of URLs. So a URL to delete a post on your site might look something like:
http://example.com/wp-admin/users.php?user=2&action=delete&_wpnonce=b192fc4204
If a user tries to replace the user ID with another value, such as “user=4”, or the action ID with another, or log in and out, then the nonce will be invalid and attempting to visit that link will result in a nonce error.
In this hypothetical, the issue could be that the user is actually a hacker attempting to gain access to your website or content. Or the user could be completely legitimate and the problem could be with one of your plugins, themes, or WordPress files.
Below we’ll discuss possible causes of the nonce error in more depth and walk through different ways to fix it.
How to Fix Nonce Error
- Refresh your browser.
- Temporarily deactivate your plugins.
- Revert back to a default theme.
- Replace your WordPress core files.
1. Refresh your browser.
This might sound too easy. But as with most errors, you need to make sure that whatever issue you’re having isn’t a temporary glitch. So refresh your browser and try repeating the action that causes the nonce error.
If you still get that “Are you sure you want to do this?" message, then move onto the next step.
2. Temporarily deactivate your plugins.
Certain WordPress plugins might be causing the nonce error on your site if they aren’t properly coded with nonce capabilities.
If you recently uploaded a new plugin and you or your users are just seeing the nonce error upload failed, try deactivating that plugin.
If that doesn’t resolve the error, then try deactivating your plugins one-by-one. If the nonce error goes away after deactivating a plugin, then you can reach out to the plugin developer to troubleshoot, or find an alternative to use on your site.
If the nonce error doesn’t go away, then go ahead and re-activate your plugins and try the next step.
3. Revert back to a default theme.
Your theme is another culprit that could be causing the nonce error on your site. Try switching back to a default theme and then re-submitting the request that caused the nonce error. If it doesn’t occur, then it could have been your previous theme that was causing the issue. In that case, you can stick with the default theme or try another alternative.
If the nonce error doesn’t go away, then go ahead and re-install your theme and try the next step.
4. Replace your WordPress core files.
If the steps above haven’t resolved the issue, then you’ll need to replace your WordPress core files. It’s possible these files have been improperly modified by a plugin or theme, which is causing the nonce error.
To replace your WordPress core files with clean, unmodified ones, follow the steps below.
- Backup your website manually or with a plugin first.
- Download WordPress and unzip it on your device.
- Log in to your site via an FTP client.
- In the main wordpress folder, delete wp-config-sample.php and the wp-content folder. If you don’t delete these files, they’ll overwrite your current site data.
- Use your FTP client to place the new WordPress core files on your hosting server and replace the current files.
Fixing a Nonce Error
Nonce errors are frustrating for you and your users. By following the steps above, you’ll hopefully resolve the issue with minimal impact to your WordPress website or UX.