WordPress uses nonces to help protect actions against CSRF attacks. By default, a generated nonce is valid for 24 hours, and the same nonce value can appear during that window.
The problem appears when a page containing a nonce is cached as static HTML. If that static cache remains valid for more than 24 hours, the cached nonce will eventually expire. Any request that relies on it will then fail validation.
There are two straightforward ways to solve this problem.
Reduce the page cache lifetime
The simplest fix is to set the cache expiration time to something shorter than 24 hours, so pages containing nonce values are refreshed before the nonce becomes invalid.
Do not cache pages that contain nonces
Most caching plugins provide settings or hooks that let you exclude certain pages from static caching. If a page includes a nonce field generated by something like wp_nonce_field(), excluding that page from the cache is often the safest option.
In practice, the right solution depends on the site. If the page is highly dynamic or security-sensitive, bypassing the cache entirely may be best. If not, a shorter cache lifetime may be enough.
