Introduction

The WordPress block editor relies on active login cookies, nonce validation, and working API requests in the background. When any of those pieces break, the editor can suddenly display a session expired message even though the admin area itself still seems available. The fix is to determine whether authentication, caching, or REST communication is interrupting the editor's refresh flow.

Symptoms

  • The block editor shows a session expired warning while editing posts or pages
  • Saving or updating content fails unexpectedly in the editor
  • Users get logged out of the editor sooner than expected
  • REST API calls or autosave requests begin failing in the browser console or network tab
  • The issue started after adding caching, security plugins, proxy rules, or custom login settings

Common Causes

  • Authentication cookies are not being set or forwarded correctly for the admin area
  • The REST API is blocked, cached, or returning authorization errors
  • Security plugins, WAF rules, or reverse proxies interfere with nonce refresh or editor requests
  • Session lifetime settings are too aggressive for real editing workflows
  • Mixed domain, www, or HTTPS configuration causes admin cookies to behave inconsistently

Step-by-Step Fix

  1. Reproduce the issue while watching the browser network panel so you can see which editor request fails first.
  2. Confirm the WordPress admin URL, site URL, and HTTPS configuration are consistent so login cookies map to the correct domain.
  3. Check whether REST API and autosave requests return authentication, nonce, caching, or proxy errors.
  4. Review security plugins, CDN settings, and reverse proxy rules for anything that blocks or caches authenticated editor traffic.
  5. Verify that login cookies are present and not being stripped, scoped to the wrong hostname, or invalidated too early.
  6. Test with recent plugin or theme changes disabled if they alter admin authentication, API behavior, or editor assets.
  7. Re-authenticate and retry the editor after clearing only the layers that affect admin sessions rather than purging the whole site blindly.
  8. Confirm editing, autosave, and publishing now work for a sustained session instead of only immediately after login.
  9. Keep admin traffic exempt from aggressive caching and verify REST API health whenever login or proxy settings change.