sfw/fix
Nonce expired medium

WordPress "The link you followed has expired"

WordPress rejects a form POST because it exceeded PHP's upload size limits or the security nonce timed out.

What you see

The link you followed has expired.
Please try again.

What’s actually happening

Two completely different problems wear this same message, and the text points at neither. Most often it fires the instant you upload a chunky theme/plugin zip or a large image — that's a size limit, even though nothing on screen says "too big". The other version shows up after a page has sat open for half a day, or on a heavily-cached login/admin page, and that one is a stale nonce. Knowing which you've got decides the fix.

Common causes

  • Upload bigger than upload_max_filesize, or the whole POST bigger than post_max_size (post_max_size must be larger than upload_max_filesize, or uploads silently truncate).
  • The page's wp_nonce has aged past its window — nonces are valid 12-24 hours by default, so a tab left open overnight POSTs a dead token.
  • A page cache (or Cloudflare full-page cache) served a cached admin/login page with a long-stale nonce baked into the HTML.
  • max_input_vars too low — a large menu, ACF field group, or theme options screen sends more than 1000 fields and PHP drops the rest, so the nonce field never arrives.
  • mod_security or a host POST-size cap (LiteSpeed's, nginx client_max_body_size) chops the request before PHP even parses it.

How to fix it

  1. Decide which failure it isDid it fail on an upload or a 'Save'? Suspect size. Did it fail after the page sat idle, or on a cached page? Suspect nonce. The fixes don't overlap, so don't raise PHP limits to cure a caching bug.
  2. Raise the PHP upload/POST limitsIn php.ini (or a .user.ini in the webroot on shared hosting): upload_max_filesize = 64M, post_max_size = 128M, max_execution_time = 300, max_input_vars = 3000. Confirm it actually applied at Tools > Site Health > Info > Server — wp-admin shows the real runtime value, which often differs from the php.ini you edited if PHP-FPM didn't reload.
  3. If it's nonce-only, exclude admin from the cacheTell your cache plugin and CDN never to cache wp-admin, wp-login.php, or logged-in sessions. In Cloudflare, add a cache rule bypassing /wp-admin/* and the wordpress_logged_in_* cookie. Stale cached nonces vanish once admin pages stop being cached.
  4. Bump max_input_vars for big formsIf a specific giant settings page or menu editor triggers it, max_input_vars is the usual culprit. Raise it to 5000 and retry that exact screen.
  5. Check the host's hard cap.user.ini changes do nothing if the host enforces a lower limit at the server. On LiteSpeed/nginx you may need the host to lift client_max_body_size or the LiteSpeed request body limit.

Stop it recurring

Set upload/post limits generously in php.ini up front and keep wp-admin and wp-login.php on a permanent cache-bypass rule.

Related errors

WordPress "Sorry, this file type is not permitted for security reasons"

medium

WordPress rejects an upload because its extension or sniffed MIME type isn't in the allowed-uploads whitelist.

WordPress "Updating failed." / "Publishing failed." (Block Editor)

high

The block editor can't get a valid JSON reply from the REST API, so saves and publishes fail.

WordPress "Error: Cookies are blocked due to unexpected output"

high

Stray output before the login headers stops WordPress from setting the auth cookie, so login fails.

WordPress White Screen of Death

critical

A blank white page with no error is WordPress’s "white screen of death" — a fatal error with display turned off.