I'm at my wits end. I've finally reached the point of site completion to turn on LiteSpeed. The one thing I'm having issues with is WPDiscuz and NONCE errors when trying to submit comments on my site in the standard posts or a CPT for my gallery.
I've tried excluding everything I could find. WPDiscuz has many threads and they're not really answering anything specific and I'd think there would be a straight forward set of entries to get LiteSpeed to leave it alone.
Is there any guidance you can provide me so I can get this off my back?
ESI Nonce
stats_nonce
subscribe_nonce
wpdiscuz_comment_nonce
ESI Nonces
_wp_nonce_wpdiscuz_comment
_better_messages_nonce
_wpnonce
_wpnonce_wpdiscuz
_wpnonce_wpdiscuz_comment
_wpdiscuz_nonce
Do Not Cache Groups
wc_session_id
wpdiscuz
comments
comment_meta
Do not Cache URIs
/wp-admin/admin-ajax.php
/wp-json/
/wp-comments-post.php
/?rest_route=
/wp-content/plugins/wpdiscuz/utils/ajax/wpdiscuz_ajax.php
/wp-json/wpdiscuz/v1
Is there a proper way to make LiteSpeed ignore an entire plugin? or are there known steps to get LiteSpeed to leave WPDiscuz alone?
Thank you
]]>and here: https://www.ads-software.com/support/topic/ajax-search-stops-working-due-to-caching/#post-18346826
The people at Ivory Search suggested: “Please contact the WP Super Cache plugin support below to know how to exclude is_ajax_nonce from the cache.”
Is this possible?
To be clear, I don’t want to exclude posts/pages from caching that use this ajax search, as I have the search bar set to appear in the sidebar of every post/page.
Thanks
]]>[03-Mar-2025 11:43:15 UTC] PHP Warning: Undefined array key “nonce” in /******/wp-content/plugins/swift-performance-lite/includes/promo/promo.php on line 29
We cannot find out the circumstances when the cache works for the mayority of pages and custom post types, and when/why the page or CPT ist just blank. ]]>
First post, so please be gentle.
I’m trying to harden our wordpress setup and for that I’m implementing a somewhat strict CSP. I wrote an mu-plugin that generates a nonce once per request, adds it to a HTTP header, then intercepts all script, style and link tags coming out of script_loader_tag and style_loader_tag and adds the nonce to them. However, and despite seeing the nonce in every tag that should have one when I curl the wp-login and wp-admin pages, when I view them in the browser I see a few scripts without nonces. Most notably, <link> tag that references load-styles.php (both wp-login and wp-admin) and the <script> tag calling load-scripts.php (only on wp-login, it has the nonce in wp-admin).
My CSP is as follows:
default-src 'self' https:;
script-src 'self' 'nonce-$nonce' 'strict-dynamic' https:;
style-src 'self' 'nonce-$nonce' https:;
font-src 'self' https:;
img-src 'self' https:;
frame-src 'self' https:;
worker-src 'self' blob:;
script-src-attr 'self';
style-src-attr 'self';
frame-ancestors 'none';Am I just being too ambitious in my policy? Or is there something I can do? Preferably without having to modify WP core files and plugin files everytime there is an update, of course 
In the lower part of the page https://milenanoventa.it there’s a form by?https://www.ads-software.com/plugins/getwid/?->?https://getwid.getmotopress.com/blocks/contact-form-block/
I think is the same problem presented in the linked thread.. I don’t know how to identify the corresponding object to “es_get_locations”…
Could you help me?
Report Number: EZVDWULE
Thank you
g
thanks
]]>This is not a unique problem. I found a discussion of the same issue here relating to W3 and WP Fastest Cache, here. Although I do not understand the issue and its discussed solutions at the links above, I recognize that this appears to be related to a “nonce” issue, where the cache must be reset every 24 hours for the page to continue working. Assuming that interpretation is correct, is there anyway to exclude my contact page/form from persistent object caching or alternatively to flush the cache automatically every 8-12 hours and not trigger the issue? Flushing it manually corrects the problem, as is referenced in the linked discussions but I’m not going to login and do that every day.
FYI, SQLite is disabled on my site right now, in case anyone looks at the contact form.
]]>Some scripts are somehow avoiding the insertion of the nonce tag, how can this be fixed? An update to fix that would be most welcome. Scripts like Google’s “‘https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js” somehow avoid it.
]]>wp_verify_nonce($_POST[‘_wpnonce’], ‘set_options’)
how can I verify the nonce if I can’t get it from the request?
]]>