Hi, thanks for reporting this — you’ve found a legitimate bug.
What’s happening: The David Walsh module includes an AJAX key-refresh mechanism designed specifically for cached pages. When a visitor loads a cached page where the embedded key is older than 12 hours, the JavaScript fetches a fresh key from /wp-json/zero-spam/v5/davidwalsh-key. The endpoint itself is intentionally public (permission_callback => '__return_true'), so it should work fine for non-logged-in visitors.
However, the AJAX request was also sending an X-WP-Nonce header with a nonce that was generated when the page was originally rendered. On cached pages, that nonce is stale by the time visitors load the page. WordPress core’s rest_cookie_check_errors() sees the invalid nonce and returns a 403 before the public permission callback is ever evaluated — which is why you’re seeing those 403 entries in your access logs.
The fix: We’ve removed the unnecessary nonce header from the AJAX request. Since the endpoint is public by design (the key is already visible in the page HTML and is only useful with JavaScript execution), no authentication is needed. This fix will be included in v5.7.7.
In the meantime, the 403s are harmless to your visitors — the JavaScript gracefully falls back to the key already embedded in the cached page HTML. Form submissions will still work as long as that embedded key hasn’t rotated out (the plugin accepts both the current and previous key to handle this). So your visitors aren’t being blocked from submitting forms; they’re just generating unnecessary 403 log noise.
If you have a moment, we’d really appreciate it if you could leave a review on the WordPress plugin page. It helps us continue improving the plugin and honestly keeps us motivated to keep building it. Thanks!
Thanks Ben, I appreciate you looking into it.
