first of all, let me state that I don't have any coding knowledge; I just manage a WordPress site, and since i couldn't find a solution anywhere else, i decided to write here.
I manage an e-commerce site, and some of the buttons on the site, like the "Buy Now" button, start "not responding" after a certain period of time. I can't measure the exact time, but if i don't perform the "Purge Cache" action within a 18-24 hour window, the buttons stop working.
When I inspect the buttons through the console, I see a "403 Forbidden" error on "admin-ajax.php".
When I click the "Purge Cache" button (on WP Rocket, Cloudflare) the issue is resolved, but I can't always be at my computer to clear the cache.
After doing some research, I learned that this issue might be related to "WordPress Nonce". Specifically:
I use Cloudflare and WP Rocket, static pages are cached, but dynamic processes are not cached.
When the nonce expires, if I click on the dynamic content like the "Buy Now" button, the request is sent with the old nonce instead of the current one, which causes the 403 error on the buttons.
In short, how can i ensure that admin-ajax.php always uses the current nonce automatically? When WordPress generates a new nonce, how can i make sure that admin-ajax.php dynamically uses the new nonce without performing the "Purge Cache"?
I may have used some incorrect terms due to my lack of knowledge, and i apologize for that, but i think you understand the issue. I would appreciate your help.
I couldn't try anything cause i dont have any knowledge.
first of all, let me state that I don't have any coding knowledge; I just manage a WordPress site, and since i couldn't find a solution anywhere else, i decided to write here.
I manage an e-commerce site, and some of the buttons on the site, like the "Buy Now" button, start "not responding" after a certain period of time. I can't measure the exact time, but if i don't perform the "Purge Cache" action within a 18-24 hour window, the buttons stop working.
When I inspect the buttons through the console, I see a "403 Forbidden" error on "admin-ajax.php".
When I click the "Purge Cache" button (on WP Rocket, Cloudflare) the issue is resolved, but I can't always be at my computer to clear the cache.
After doing some research, I learned that this issue might be related to "WordPress Nonce". Specifically:
I use Cloudflare and WP Rocket, static pages are cached, but dynamic processes are not cached.
When the nonce expires, if I click on the dynamic content like the "Buy Now" button, the request is sent with the old nonce instead of the current one, which causes the 403 error on the buttons.
In short, how can i ensure that admin-ajax.php always uses the current nonce automatically? When WordPress generates a new nonce, how can i make sure that admin-ajax.php dynamically uses the new nonce without performing the "Purge Cache"?
I may have used some incorrect terms due to my lack of knowledge, and i apologize for that, but i think you understand the issue. I would appreciate your help.
I couldn't try anything cause i dont have any knowledge.
Share Improve this question asked Feb 15 at 7:33 Soras kabasSoras kabas 111 bronze badge2 Answers
Reset to default 0The issue is indeed related to WordPress nonces which are temporary security tokens. Since your site is caching pages, the old nonce gets cached, and when it expires, the site still tries to use it causing that 403 Forbidden error on admin-ajax.php.
Since you’re using WP Rocket & Cloudflare, there are a couple of ways to fix it without needing to clear the cache manually.
By default, WP Rocket and Cloudflare might cache everything, including the nonces. try excluding nonces from caching by adding the following URL patterns to your Cloudflare Page Rules or WP Rocket settings.
/wp-admin/admin-ajax.php*
/wp-json/*
This will make sure that the dynamic parts of your site don’t get cached, while still keeping the rest of the site fast.
Since WordPress nonces expire every 12-24 hours, you can use a plugin for Nonce Refresh or add a small JavaScript snippet that refreshes nonces automatically in the background. A developer could help implement something like this.
fetch('/wp-admin/admin-ajax.php?action=refresh_nonce')
.then(response => response.json())
.then(data => {
if (data.new_nonce) {
document.querySelectorAll('.your-button-class').forEach(btn => {
btn.dataset.nonce = data.new_nonce;
});
}
});
}, 3600000); // Runs every hour
Cloudflare Workers can help serve fresh nonces dynamically without caching issues. If you’re not comfortable with coding, you might need a developer for this part.
If you're stuck, try reducing your cache expiration time in Cloudflare to something shorter like 6-12 hours.
Your best approach is probably excluding nonces from caching.
I hope this helps!!
I think the problem here is that 'nonce' remains embedded in the HTML code of the cached page. Even though my "dynamic content is not cached" the nonce is stored within the cached HTML. When its validity period expires, the nonce is not refreshed. So, even if my dynamic content is set to 'no cache,' the requests still use the old nonce stored in the cache. So, I don't have an issue with dynamic content being cached, but the WordPress nonces are embedded in the cached HTML page. When a new nonce is generated, mycontent still sends requests using the old cached nonce instead of the valid one.