Invalid security nonce (can’t login / register to my website, or other Ajax requests)

You are here:
Estimated reading time: 1 min

Depending on your caching settings, you might get the error “Form Nonce is Incorrect” when trying to login through the Account dropdown panel’s forms.

This basically happens because the caching solution used on the store is also caching the security “nonces”.

Nonces are security tokens in WordPress. They get printed into the HTML source code.

Nonces can only be used once (hence “n once”), and they are only valid for a certain length of time: 12 hours by default, but developers can change that value.

On a cached page, the nonce can expire in the background while its ID is still present in the HTML source code of the page. If that happens, the HTML source is referencing an invalid nonce and things break.

This can affect all kinds of functionality, from form validation to the visual appearance of the page.

The fix is to look into your caching plugin’ settings and locate the Cache Lifespan options and change it to 8hr or less.

Recommended solutions:

In WP Rocket decrease the cache lifespan eg: .

In LiteSpeed, access settings and click on “Show Advanced Options” tab. Click on the tab ESI and enable it eg: . Make sure to purge all caches. You can also try adding rey_nonce inside the ESI Nonces box.

Alternative solution:

An alternative solution is to force pulling the actual active session nonce. To do this, please paste this php code snippet into the child theme’s functions.php (or Code Snippets plugin). This will renew the rendered nonces when the visitor clicks the Account button to open the dropdown/offcanvas.

More about this topic:

Was this article helpful?
Dislike 2
Views: 1477

Suggest article improvements

Please use this form to suggest improvements and report missing or outdated content. Support requests will most likely not be answered and it's best to use the Support Request Form instead. Thanks!