Multisite "Cookie nonce is invalid" problem

When I try to save settings for some plugins in network (subdirectory multisite) admin. Messages I get:

Cookie nonce is invalid

from the Application password plugin and…

A nonce security check failed, preventing the request from completing as expected. Please try reloading the page and trying again.

…from iThemes Security.

I did some digging and the problem is wp_verify_nonce() always return false. The cookie token never match the expected token. I have no idea why Wordpress is behaving in this way.

Do someone have an idea of what’s causing this issue? How can I solve this?

I using Bedrock and here is my settings (not including database, saltkeys, WP_ENV, etc.):

define('WP_HOME', '');
define('WP_SITEURL', '');
define('CONTENT_DIR', '/app');

define('ADMIN_COOKIE_PATH', '/');
define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '');
define('SITECOOKIEPATH', '');

define('WP_ALLOW_MULTISITE', true);
define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', false);
define('DOMAIN_CURRENT_SITE', '');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);

Edit note 2017-08-30: Info about it’s a subdirectory multisite install.

I found the problem.

The links to the Network Admin are incorrect. For example, network users have:

It should be (if wordpress core is located in backend/)

If you visit the first link and add /backend/ before wp-admin in the browser, then the network admin will behave correctly.

I posted my fix here:

Check this out

Yes, I have tried that. The problem is this is a subdirectory multisite install. When the plugin is enabled I get urls like:


I only need to fix URL:s to the network admin, the other URLs are fine.


New solution (needs more testing and fine tuning).

public function fix_network_admin_url($path, $scheme) {
    return str_replace('/wp-admin/network', '/backend/wp-admin/network', $path);
add_filter('network_admin_url','fix_network_admin_url', 10, 3);