# 403 Error in WordPress (WooCommerce) admin with multiple "sites" (rest_cookie_invalid_nonce, Cookie check failed, api-fetch, wp-json)

**URL:** https://discourse.roots.io/t/403-error-in-wordpress-woocommerce-admin-with-multiple-sites-rest-cookie-invalid-nonce-cookie-check-failed-api-fetch-wp-json/26524
**Category:** bedrock
**Tags:** multisite, woocommerce, trellis, bedrock
**Created:** 2024-01-10T17:26:40Z
**Posts:** 7

## Post 1 by @cawalle — 2024-01-10T17:26:40Z

Hi everybody,

the text has gotten a little longer, so thank you in advance for staying with me and taking your time!

I am experiencing a problem of piling up **403 errors** when in the WordPress backend, specifically the WooCommerce admin (where it hinders me to e.g., make changes to some payment settings), or also when editing a post (Gutenberg). The problem seems to be related to `rest_cookie_invalid_nonce`.

Here are example logs from the console

```
api-fetch.js?ver=064121ed1abb9ed32a10:678 
GET http://domain-one.test/wp-json/wc-admin/options?options=woocommerce_admin_transient_notices_queue%2Cwoocommerce_admin_install_timestamp&_locale=user 403 (Forbidden)

---

api-fetch.js?ver=064121ed1abb9ed32a10:678 
GET http://domain-one.test/wp-json/wp/v2/templates/twentytwentyfour//single?context=edit&_locale=user 403
```

### “WP Multisite” vs multiple “sites”

I have tried all kinds of solutions and approaches, but to no avail, which led me to wonder, if I even understood “Multisite” vs “sites” (as per [Trellis Docs](https://roots.io/trellis/docs/wordpress-sites/)) correctly.

So first off, let me please ask, if my understanding in this regard is correct, or if my approach cannot work in the first place:

Instead of installing a “WP Multisite” (i.e., one WordPress install with multiple websites), I configured my project with multiple “sites” (each having their own WordPress/Bedrock install), leaving me with a structure that looks like this:

```
site_domain-one (Bedrock)
   | composer.json
   | config
   | | application.php
   | | environments
   | | | development.php
   | | | ...
   | web
   | | app
   | | | plugins
   | | | themes
   | | | ...
   | | wp
   | | | ...
   | .env
   | composer.json
   | ...
site_domain-two (Bedrock)
   | composer.json
   | ...
site (more sites ...)
   | ...

trellis
   | group_vars
   | hosts
   | ...
```

…and `group_vars/development/wordpress_sites.yml` like this:

```
# Created by trellis-cli v1.11.1
# Documentation: https://roots.io/trellis/docs/wordpress-sites/

wordpress_sites:
  domain-one.com:
    site_hosts:
    - canonical: domain-one.test
      redirects:
      - www.domain-one.test
    local_path: ../site_domain-one
    admin_email: mymail@mail.com
    multisite:
      enabled: false
    ssl:
      enabled: false
      provider: self-signed
    cache:
      enabled: false
  domain-two.com:
    site_hosts:
    - canonical: domain-two.test
      redirects:
      - www.domain-two.test
    local_path: ../site_domain-two
    admin_email: mymail@mail.com
    multisite:
      enabled: false
    ssl:
      enabled: false
      provider: self-signed
    cache:
      enabled: false
  more-domains.com:
    ...
```

Again, in my understanding, I don’t have a “WP Multisite”, but _multiple “sites”_, with each “site” having a separate WordPress/Bedrock installation.

**Question 1** → Is my understanding correct? Is it possible to setup the Roots stack like this, or is my approach wrong, and the only way to go about it is a “WP Multisite”?

* * *

### Similar topics

There are very similar topics surrounding the error `rest_cookie_invalid_nonce`. Again, they are mostly referring to “Multisite” though, which leaves me to wonder, if they are even applicable in my case (or if I have to _switch_ to a multisite regardless?)(see explanation above).

Especially this topic ([Rest\_cookie\_invalid\_nonce error](https://discourse.roots.io/t/rest-cookie-invalid-nonce-error/26175)) is very similar. I have reached out to its author, but haven’t received a reply yet. In the aforementioned topic, three other threads are also mentioned (again, all referring to Multisite):

> [@Rest_cookie_invalid_nonce error](https://discourse.roots.io/t/rest-cookie-invalid-nonce-error/26175/1):
>
> - [Updating failed error on Bedrock](https://discourse.roots.io/t/updating-failed-error-on-bedrock-sage-wp-multisite-after-migrating-from-aws-to-kinsta/18047)
> - [Rest\_cookie\_invalid\_nonce on MultiSite Instances](https://discourse.roots.io/t/rest-cookie-invalid-nonce-on-multisite-instances/25252)
> - [WooCommerce REST API (401 / 403)](https://discourse.roots.io/t/woocommerce-rest-api-multisite-issues-401-403/21276)

They very much describe (parts) of my problem, but miss solutions (I could get to work).

### Error

As mentioned above, the console log(s) look like:

```
api-fetch.js?ver=064121ed1abb9ed32a10:678 
GET http://domain-one.test/wp-json/wc-admin/options?options=woocommerce_admin_transient_notices_queue%2Cwoocommerce_admin_install_timestamp&_locale=user 403 (Forbidden)
```

with a preview / response of:

```
{code: "rest_cookie_invalid_nonce", message: "Cookie check failed", data: {status: 403}}

code: "rest_cookie_invalid_nonce"
data: {status: 403}

status: 403

message: "Cookie check failed"
```

### My setup

- Trellis, Bedrock, Sage
- multiple “sites” (not WP Multisite)
- Since the error already appears in local development (only WordPress and WooCommerce installed, with Twenty Twenty-Four theme), and judging from the similar topics, it seems to be Bedrock (or Trellis) related
- To the best of my memory, I have not altered the Bedrock setup (but regularly installed it via Trellis-CLI)
- The issue persists after clearing browser cache and re-provisioning via `trellis provision development`
- this answer (below) suggests the following, but since its an install with only WordPress, WooCommerce, and Twenty Twenty-Four theme), I did not know, which further plugins/blocks to disable:

> [@Updating failed error on Bedrock/Sage WP Multisite after migrating from AWS to Kinsta](https://discourse.roots.io/t/updating-failed-error-on-bedrock-sage-wp-multisite-after-migrating-from-aws-to-kinsta/18047/4):
>
> I guess there are 2 elements with the same id `_wpnonce` on the page.  
> Thus, the AJAX requests failed to find a valid nonce.  
> Try disable some plugins/blocks to find the culprit.

* * *

**Question 2** → Is of course, how to solve the problem / where to look / where it likely lies / etc.?

Thank you very much for reading. Please let me know, if you need further information. I hope that someone can help (guide) me to the right solution, and that this thread then helps others to find a solution, too :slight_smile:

Very much looking forward to your replies!

P.S.: In the meantime, I have done a new fresh trellis install, with two “sites” (both only WordPress, WooCommerce, Twenty Twenty-Four) and the issue persists (in development). Pretty sure, that means that something in my config is wrong (?), but I can’t figure out what :thinking:

---

## Post 2 by @priyanka_wp — 2024-01-12T09:52:34Z

I had same issue after WooCommerce update to 8.5.0. Rollbacked to 8.4.0 and it worked.

---

## Post 3 by @cawalle — 2024-01-12T11:59:51Z

Damn, that was actually it… Rolling back, and it works again. Thanks a lot for pointing it out! :pray:

I somehow didn’t really consider this to be an issue with such a massively used plugin :woozy_face: … and didn’t check there… but looking at the WooCommerce support forums now, they even officially reverted back to 8.4.0. — as the 8.5.0. was causing too many issues…… anyways, solution found :tada:

---

## Post 4 by @strarsis — 2024-01-12T18:09:13Z

Thank you! I just encountered the same issue, but not with multiple sites, just a normal WordPress Bedrock Site with Sage 10 (updated). Hopefully the next WooCommerce release has this issue fixed.

---

## Post 5 by @strarsis — 2024-01-12T18:51:48Z

:thinking: Interesting, the WooCommerce plugin latest version is `8.4.0` on the [WordPress WooCommerce plugin directory page](https://wpackagist.org/search?q=woocommerce&type=any&search=#:~:text=Plugin-,woocommerce,-January%209%2C%202024).

But on `wpackagist` (from which Bedrock installs plugins using `composer`)the [`woocommerce` plugin package](https://de.wordpress.org/plugins/woocommerce/#description:~:text=Meta-,Version%3A,-8.4.0) is also available in versions `8.5.0-beta.1`; `8.5.0-rc.1` and `8.5.0`. In the GitHub repository [the latest (stable) available version is also `8.5.0`](https://github.com/woocommerce/woocommerce/releases).

So were the `8.5.0` `beta`, `rc` and `stable` releases actually retracted from the WordPress plugin directory, probably because of this significant issue?

---

## Post 6 by @AlexD — 2024-01-31T11:52:41Z

I’ve had issues with sessions (customer login, add to cart, checkout). Rolling back to 8.4 solved the issues.

This is a really big bug…my clients lost a lot of money…

---

## Post 7 by @jakeqz — 2026-04-09T23:48:17Z

I had the same issue after a WordPress and WooCommerce update. Tracked it down to `rest_cookie_invalid_nonce`. Logged out of WordPress and logged back in. Problem solved. Wish I had tried that sooner - would have saved a lot of time debugging.