The "cheatin" hack of WordPress 4.3

Looking into this some more, I found that this kind of code has been in WordPress since at least version 4.0. Despite the remarkable poor wording of the message, it may be that this is “a feature, not a bug”.

In a variety of circumstances wordpress will generate this error message and stop. My suggestion to the developers is to produce a more informative error message that can help users who encounter these circumstances to diagnose the problem.

My suggestion to the developers is to produce a more informative error message that can help users who encounter these circumstances to diagnose the problem.

I think Requests and Feedback forum would be more appropriate for this thread. So I moved it to “Requests and Feedback” forum.

Well, @hugh222, if you see this message, you’re definitely doing something normal users usually don’t do. For all standard cases WP has appropriate error messages, extended debug information is also available for those whom it may concern.

The one-and-only way I know to reliably reproduce the “Cheatin” message is to open a WordPress admin page with a form in a new tab, walk away for more than 12-24 hours, then come back and try to submit the form.

The message appears when you are trying to use an invalid nonce. This is basically considered a “hack attempt”, which is why the message. It’s been around since long before 4.0. At least back to 2.5 or so.

It is possible that you have some plugin or something else doing things incorrectly and causing this to appear more often, or that you have a habit of leaving tabs lying around for extended periods of time. Without details on how to reproduce the issue, it’s not something easily fixed.

I may be remembering this incorrectly, but I’m sure I’ve seen this message a few times after being returned to the dashboard automatically from the Customizer. Probably due to accessing the customizer from a page including a form.

Not sure if that matters, or if anyone is even interested, but I thought I’m chime in! I have no issues with the wording of the “Cheatin” message myself.

I’ve seen this message on various websites, including today while updating a page and yesterday while upgrading a plugin.

Clients have seen it too and been mystified by its accusatory tone and vagueness – it’s badly worded.

I can’t tell my clients it’s a “nonce” at fault because that means something pretty rude in England!

Interesting, the “Cheatin” message does come across as slightly rude.

I came across this by having the Customize page open adding new header images over a long period of time. Logging out and back in again allowed me to continue uploading. It would be nice if the error were a bit more informative or just automatically logged you out at that point.