Skip to main content

Fortress - 30 min nonce error

**You Cannot Save Your Work After 30 Minutes **

The issue you’re facing is likely nonce-related. This bug rarely surfaces for most people because nonces are valid for 12 hours by default within WordPress. However, this will surface every 30 minutes on Fortress sites.

The issue can occur where if a nonce is invalid, the plugin you’re using does not fetch a new one. Gutenberg, for example, does this automatically; if you’re still logged in, it fetches a new nonce when the old one becomes invalid.

Calvin created the following configuration that will allow you to get your work done while still keeping a very solid security level:

{
  "session": {
    "idle_timeout": 7200,
    "sudo_mode_timeout": 1800,
    "rotation_timeout": 43199,
    "absolute_timeout": 43200,
    "protected_pages": [
      "/wp-admin/update-core.php",
      "/wp-admin/themes.php",
      "/wp-admin/theme-install.php",
      "/wp-admin/plugins.php",
      "/wp-admin/plugin-install.php",
      "/wp-admin/user-new.php",
      "/wp-admin/user-edit.php",
      "/wp-admin/profile.php",
      "/wp-admin/update.php",
      "/wp-admin/options-*",
      "/wp-admin/options.php",
      "/wp-admin/authorize-application.php",
      "/wp-admin/theme-editor.php",
      "/wp-admin/plugin-editor.php"
    ],
    "protected_capabilities": [
      "activate_plugins",
      "delete_plugins",
      "delete_themes",
      "delete_users",
      "edit_dashboard",
      "edit_files",
      "edit_plugins",
      "edit_themes",
      "edit_users",
      "edit_user",
      "install_plugins",
      "install_themes",
      "promote_users",
      "remove_users",
      "create_users",
      "switch_themes",
      "unfiltered_upload",
      "update_core",
      "update_plugins",
      "update_themes"
    ]
  }
}

This does the following:

  1. The rotation_timeout is effectively disabled. This should prevent the bugs in the third-party plugins (the need of having to refresh the page to get new nonces), from surfacing again.
  2. The maximum lifetime of a session is 12 hours for non-remembered users. This brings the nonce time-limit back to the default, but you can also shorten it if you’d prefer to be stricter.
  3. The idle timeout is set to 2 hours. This means that if a user leaves a site for more than 2 hours without doing anything, they’ll be logged out. This can be decreased or increased based on your preference (we’d recommend a shorter limit where possible).
  4. Rather than removing the sudo_timeout, this reduces what is affected by the sudo timeout down to the most critical actions like installing plugins or deleting users. Administrator users can still perform all of these actions for thirty minutes after logging in (or thirty minutes after confirming the sudo mode). Most page builders, snippet plugins, etc., should now be unaffected by the sudo mode, while one-off/rare tasks that are very critical are still protected.