As we know, WordPress uses a random nonce value to verify user actions and prevent CSRF attacks. Under the default configuration, a WordPress nonce remains valid for 24 hours. During that 24-hour window, the nonce value for a given action stays the same.
Sometimes this nonce is output directly inside the page, for example in a form field generated with wp_nonce_field(). If we use static page caching, that nonce value will be cached together with the rest of the page HTML. If the static page cache lives longer than 24 hours, the cached nonce on that page will expire after 24 hours. When that expired nonce is used later to validate a request, the verification will fail.
So how do we solve this problem? There are two approaches.
Shorten the Cache Lifetime of Static Pages
The simplest solution is to reduce the lifetime of your static page cache and set the cache expiration time to a value shorter than 24 hours.
Do Not Cache Pages That Contain Nonce Values
Most caching plugins provide settings or hooks that allow us to exclude specific pages from the cache system. As long as we exclude pages that contain nonce values and prevent the caching system from storing them, this problem can be resolved.
