You hit Save, or you launch a long scan, and WordPress tells you “Cookie check failure” or “Cookie nonce invalid”. The page is stuck. Nothing else seems wrong. Welcome to one of WordPress’s most annoying errors, and one of its most fixable.
What a nonce actually is
A WordPress nonce is a short, time-limited token that proves “this request really came from a logged-in user on this site, not from some random page on the internet pretending to be you”. It is WordPress’s CSRF protection, baked into nearly every async action in the admin (saving a post, deleting media, running a plugin scan, calling the REST API).
Nonces live in cookies and expire after about 12 hours. If the cookie the browser sends does not match what the server expects, you get the error.
The most common cause: your cache
Nine times out of ten, a caching plugin is serving a stale version of the page (or the admin) with a nonce that has already expired. The browser sends the old nonce, the server says no, you see the error.
The fix depends on which caching plugin you run:
- WP Fastest Cache: set the cache lifespan shorter than 12 hours
- WP Rocket: same fix, but also see our take on WP Rocket: we recommend against it
- W3 Total Cache: tune the Garbage Collection Interval
- WP Super Cache: set the Garbage Collection lifetime
If you are running a long-running process (like a Media Cleaner scan or a large bulk action) and the cache lifespan setting does not help, disable the caching plugin for the duration. The 12-hour nonce expires mid-process and there is no setting that prevents that.
The other usual suspects
- Security plugins messing with cookies. Wordfence’s “Login Security” 2FA flow occasionally strips or rewrites cookies mid-flight. Disable temporarily to test.
- Host-level mod_security rules. Some shared hosts (we have seen GoDaddy and a few SiteGround configs) ship aggressive mod_security rules that block cookie-bearing POST requests selectively. Open a ticket: “please whitelist
/wp-admin/admin-ajax.phpfrom mod_security rule X”. - Browser extensions. Some privacy extensions (uBlock variants, Privacy Badger configs) block first-party cookies. Test in an incognito window with extensions disabled.
- Multiple WordPress installs on the same domain sharing cookies. Set
COOKIEPATHandCOOKIE_DOMAINexplicitly inwp-config.phpto scope each install’s cookies.
In short
Cookie nonce errors are almost always a caching plugin holding onto a stale page. Tune the cache lifespan or disable the cache for long admin actions. If that does not solve it, work through the security-plugin and host-rule list above. Tell us in the comments which one was yours, and which host you are on. The list above grows with reader reports. 😺
