What a Nonce Error in WordPress

When running a WordPress website, you want to keep it secure so that your forms, content, data, and users are safe from attacks and other malicious activity. One way you can do that is by using nonces.

Nonces are one-time tokens designed to protect forms and URLs from certain types of misuse, like Cross-Site Request Forgery (CSRF). Basically, a nonce is generated for a given user in a given context so that it’s unique to not only the WordPress install and user, but to the action, the object of the action, and the time of the action.

So let’s say a user opens a post to edit in their WordPress dashboard, then decides to delete it. When submitting the request to delete it, WordPress will verify if a previously generated nonce expected for this exact WordPress install, user, purpose, post, and time period was sent along. It will then decide if the user’s request can be safely processed. If it can’t, then it will return an error message.

This error mechanism is designed to prevent repeated, expired, malicious, or otherwise unwanted submissions and requests from being processed on your WordPress website — but it can also prevent real users from submitting forms or completing other actions on your site.

In this post, we’ll take a closer look at what a nonce error is and why it occurs, then walk through the different ways you can fix it.

While a nonce stands for a “number used once,” WordPress nonces can actually be used more than once by the same user — as long as it’s within the nonce’s limited lifetime. After that period of time, the nonce will be considered invalid. In WordPress, the default lifetime of a nonce is one day.

Remember that a nonce will also be considered invalid if the WordPress install, user, action, or object of the action is changed.

If your WordPress website determines that the nonce is invalid and the request cannot be safely processed, it will deliver an error message that looks something like this:

What causes a nonce error?

A nonce error is caused when a user makes a request without having the correct nonce generated by WordPress and given to the user. A user might be trying to complete the following actions:

  • publish a new post or page
  • upload a plugin
  • upload a theme
  • upload a video or other media files
  • create a user
  • delete posts or pages
  • create tags and categories

For example, let’s say you implement nonces on your site Then WordPress will add nonce keys to the end of URLs. So a URL to delete a post on your site might look something like this:

http://example.com/wp-admin/users.php?user=2&action=delete&_wpnonce=b192fc4204

If a user tries to replace the user ID with another value, such as “user=4”, or the action ID with another, or log in and out, then the nonce will be invalid and attempting to visit that link will result in a nonce error.

In this hypothetical, the issue could be that the user is actually a hacker attempting to gain access to your website or content. Or the user could be completely legitimate and the problem could be with one of your plugins, themes, or WordPress files.

Fixing a Nonce Error

Nonce errors are frustrating for you and your users. For assistance fixing your site or identifying the underlying cause just get in touch.

Last updated byChris Grant (he/him)Chris Grant (he/him) on 3rd March 2022