sfw/fix
Nonce Failed medium

Are you sure you want to do this? Please try again

A WordPress nonce security check failed, so the action was rejected as possibly forged or expired.

What you see

Are you sure you want to do this?
Please try again.

What’s actually happening

You submit a form, save settings, activate a plugin, or follow an admin link and instead of the action completing you get this two-line challenge. Hitting back and resubmitting sometimes works, sometimes loops. It tends to cluster around long edit sessions, multi-tab admin work, or one specific plugin's settings page.

Common causes

  • An expired nonce — you left a form open longer than the nonce lifetime (default 24 hours, refreshed at 12) and the token went stale.
  • A caching layer (page cache, CDN, or a caching plugin) serving a stale page with an old nonce baked into the form.
  • PHP memory exhaustion cutting the request short before the nonce verifies, so the check silently fails.
  • A plugin or theme generating a nonce with one action name and verifying it with another, or not regenerating it after login.
  • Session/cookie problems — wrong COOKIE_DOMAIN, an auth cookie that didn't refresh, or clock skew between servers.

How to fix it

  1. Reload and resubmitThe cheap fix: go back, hard-refresh the form page (Ctrl/Cmd+Shift+R) to pull a fresh nonce, and submit again. If it was just an expired token from a stale tab, this clears it.
  2. Exclude admin pages from cachingIf a cache plugin or CDN is the cause, make sure wp-admin and logged-in users are never cached. In WP Rocket/W3TC/LiteSpeed there's a 'don't cache for logged-in users' toggle. On Cloudflare, add a bypass rule for /wp-admin/* and /wp-login.php. Then purge the cache.
  3. Raise the PHP memory limitAdd define('WP_MEMORY_LIMIT', '256M'); to wp-config.php. A request that runs out of memory mid-verification produces this exact error, so rule it out by checking wp-content/debug.log with WP_DEBUG_LOG on.
  4. Isolate the pluginIf it only happens on one plugin's screen or action, that plugin is mishandling nonces. Deactivate it to confirm, update it, or report it. Renaming wp-content/plugins to test in bulk works if you're not sure which one.
  5. Check cookie and clock settingsIf it's site-wide right after a domain/SSL change, verify COOKIE_DOMAIN and the site URLs in wp-config.php and Settings > General. Clear browser cookies for the domain. On multi-server setups, make sure system clocks are in sync — nonce math is time-based.

Stop it recurring

Exclude logged-in/admin traffic from all caching layers and keep PHP memory at 256M or higher.

Related errors

WordPress "Sorry, you are not allowed to access this page"

high

WordPress denies wp-admin because your user's role/capabilities are missing or the table prefix doesn't match the database.

WordPress White Screen of Death

critical

A blank white page with no error is WordPress’s "white screen of death" — a fatal error with display turned off.

Error Establishing a Database Connection

critical

WordPress can’t reach its database — the whole site goes down with this single line. Here’s how to restore it.

There Has Been a Critical Error on This Website

high

WordPress's fatal-error protection caught an uncaught PHP error from a plugin, theme, or PHP incompatibility and replaced the page.