We have Cloudflare’s “Automatic Platform Optimization” enabled on our Wordpress site. Cloudflare “Caching Level” is set to “Standard”.
We have an odd issue where every few days visitors to our ecommerce website enter a working coupon code and the console logs that admin-ajax returned a 403 server error (request not authorized). So the working coupon code is rejected and the screen freezes. Investigating further it looks like the nonce expired but was still served to the visitor.
We can always resolve this issue by clicking Cloudflare → Purge Cache → Purge Everything.
The problem returns even though we keep setting the Cloudflare “Browser Cache TTL” to shorter intervals: 10 hours (recommended by Wordpress), then 4 hours then 2.
Is there a better way than setting Browser Cache TTL to shorter and shorter intervals?
Is setting “Browser Cache TTL” the same as Purge Cache → Purge Everything?
This is unrelated to cache. You need to visit Cloudflare Dashboard > Security > Events and check to see which Cloudflare service (Bot Fight Mode, WAF rules, IP Access rules etc.) is blocking the access to the file /wp-admin/admin-ajax.php, then adjust that service accordingly.
You should set your cache for the admin-ajax path so that the sum of Browser Cache TTL and Edge Cache TTL is less than 12 hours (the standard duration for nonces in WordPress). You can do so with a Cache Rule. See: Nonces and Cache Lifespan - WP Rocket Knowledge Base
No. Purge Everything is the one-time remedy, often used after changes are made to your Cloudflare or origin settings so that they start to apply immediately. Setting Browser Cache TTL is a more permanent change, equivalent to setting the duration in a Cache-Control header. It will instruct your browser not to request the page from origin for the duration specified, and use the cached page instead.
I’m not sure we have yet solved it even with your helpful answers.
In Cloudflare Dashboard > Security > Events it is surprising but it does not record any instance of a 403 as we and customers experienced it: a US visitor to /wp-admin/admin-ajax.php. Maybe our origin server returns the 403, not Cloudflare.
Cloudflare > Browser Cache TTL has been set to 2 hours. And we don’t have WP Rocket or any other caching plugin running besides Cloudflare. We do see correctly in Chrome > Developer Console > Network that admin-ajax.php is 'Cache-Control: no-cache, must-revalidate, max-age=0"
That means you have an Edge Cache TTL for all HTML content, which includes the result of PHP files such as admin-ajax.php, except certain dynamic exclusions, such as visits from logged-in users and URLs with a query string.
Aren’t you visiting the URL with Dev Tools > Network tab > Disable cache option checked? Uncheck that option to see what the result is.