A nonce (number, once) is a randomly-generated number generated by WordPress and sent along with any user input as part of data validation. It is a key tool used by developers to close a number of common security holes including XXS or Cross-site Scripting attacks.
Nonces, by default, are valid for 24 hours, and since they are included in hidden form fields and attached as variables to links, a caching tool like W3 Total Cache, WP Rocket, or others could accidentally keep re-using a nonce after it expires, resulting in expired nonce errors.
If you have a stale or expired nonce issue on your site, there are two ways you can fix it.
Recommended Solution: Modify Cache Lifespan for Pages with Nonce.
Many caching solutions give you the ability to modify the cache lifespan. It is recommended that any pages that include a Matador Jobs form (ie: Application, Contact Form, Alerts Subscribe) are kept cached for no longer than 12 hours.
If you are on a Managed WordPress host and you are having caching issues with nonce, contact your host. If you are setting up and managing your own combination of caching tools, you should modify your cache lifespan.
Here are some links to help documents from popular caching tools:
Don’t see your caching solution, send us a ticket and we’ll add a link to yours… if we can find it!
Alternate Solution: No-Cache Applications
If you’d like to keep certain parts of your site with long caches (ie: 7 days, 30 days, 90 days) and can’t modify cache per-page, you can disable cache on certain pages. By changing the option Matador Settings > Applications > Applications Method to “Generate Application Page”, your application forms will be on a unique page which you can always exclude from cache while leaving the rest of the site cached for longer than 12 hours. Here are links to help for popular caching solutions:
- WPRocket 1 & 2
- CloudFlare
Discouraged (but it works): Extend Nonce Life
In the beginning of this document, we explained that nonces protect you from common security venerabilities. We strongly discourage changing the nonce lifespan, but if the above solutions do not work, you can use the following code to extend the life of your nonces from 24 hours (default) to the life of your cache, plus 12 hours.
<?php //omit opening php tag
/**
* Extend Nonce Life
*
* Warning: avoid this at all costs. Use as a last-resort. Could open security venurabilities on your site.
*
* @since 2021-02-13
*
* @param int $life
*
* @return int
*/
function namespace_nonce_life( $nonce_life ) {
return 90.5 * DAY_IN_SECONDS; // Add .5 to Cache Age for Cache + 12 hours.
}
add_filter('nonce_life', 'namespace_nonce_life');