sfw/fix
Nonce failed medium

"Are You Sure You Want to Do This?" (Nonce Error)

WordPress blocked an action because the security token (nonce) on the form or link was missing, expired, or invalid.

What you see

Are you sure you want to do this?
Please try again.

What’s actually happening

You click a button, save a setting, or follow an admin link and land on a near-blank page asking if you're sure, with a "Please try again" link. Nothing got saved. It often hits after a form sat open too long, on a heavily cached page, or right after you changed something in wp-config.php. WordPress attaches a one-time token (nonce) to sensitive actions and rejects the request when it can't verify that token.

Common causes

  • The nonce expired — by default a nonce lives ~24 hours, so a login session or open editor tab that sat overnight sends a stale token
  • A page caching layer or CDN served a cached page containing an already-used or expired nonce
  • Changed or mismatched security keys/salts in wp-config.php invalidated every existing nonce at once
  • A plugin or theme generated the nonce with the wrong action name, or omitted wp_verify_nonce on the receiving end
  • Cookies aren't sticking (wrong site URL, subdomain mismatch), so the user session the nonce is tied to can't be confirmed

How to fix it

  1. Refresh and retry firstHard-reload the page (Cmd/Ctrl+Shift+R) to fetch a fresh nonce, then redo the action. A genuinely expired token clears instantly this way. If you were logged in for a long time, log out and back in to start a new session.
  2. Exclude admin and dynamic pages from cacheIf it happens on the front end (comment forms, add-to-cart), your cache is serving stale nonces. In your caching plugin/CDN, exclude wp-admin, logged-in users, and any page with a nonce-bearing form. Never cache /wp-login.php.
  3. Check the salts in wp-config.phpIf the error started after editing wp-config.php, confirm the AUTH_KEY/SALT block is intact and not duplicated. Regenerating salts from the WordPress secret-key API logs everyone out but issues clean nonces — useful if you suspect compromised keys, disruptive otherwise.
  4. Bisect plugins and themeIf one specific action always fails, deactivate plugins until it stops, then switch to a default theme. A plugin calling wp_nonce_field with one action string but verifying with another fails every time — that's a code bug to report or patch, not a config issue.
  5. Fix cookie/URL mismatchesConfirm Site Address and WordPress Address match what's in the browser bar (http vs https, www vs non-www). If they disagree, the auth cookie the nonce depends on isn't sent, so verification fails.

Stop it recurring

Don't full-page-cache logged-in sessions or forms, and don't leave the editor open for hours — save in passes.

Related errors

WordPress White Screen of Death

critical

A blank white page with no error is WordPress’s "white screen of death" — a fatal error with display turned off.

403 Forbidden

high

A 403 means the server understood the request but refuses to authorize it. Usually permissions or a security rule.

Error Establishing a Database Connection

critical

WordPress can’t reach its database — the whole site goes down with this single line. Here’s how to restore it.

There Has Been a Critical Error on This Website

high

WordPress's fatal-error protection caught an uncaught PHP error from a plugin, theme, or PHP incompatibility and replaced the page.