When you try to upload a plugin or theme .zip via Plugins → Add New → Upload Plugin (or Appearance → Themes → Add New → Upload Theme), the page redirects to an error screen with the message:
The link you followed has expired.
Refreshing, re-downloading the zip, or logging out and back in does not help.
Why WordPress shows this
The message is misleading. WordPress is reusing its generic "nonce expired" wording for an entirely different problem: the upload was rejected by PHP before the WordPress nonce was even checked. The .zip file exceeded one of the server's upload-size limits, so PHP discarded the POST body. WordPress then sees an empty form submission and assumes the user's nonce token is stale.
Why the message is misleading
The string comes from stock WordPress, not a plugin or host customization:
- Source:
wp_nonce_ays()inwp-includes/functions.php - Defined as:
$html = __( 'The link you followed has expired.' ); - Triggered whenever
check_admin_referer()fails nonce verification
The same message fires for three different causes:
- POST body exceeded
post_max_size— PHP discards the body before WordPress runs, so_wpnonceis missing from$_POST. This is the case covered in this guide. - Genuinely expired nonce — form was left open longer than 24 hours (WordPress's default nonce lifetime).
- CSRF / cross-site submit — nonce missing or from a different session.
How to tell which one you hit: if the file you tried to upload is larger than the Maximum upload file size shown on the upload page, it's cause #1. Nothing will appear in PHP error logs — PHP rejected the body at the web-server boundary before the script ran.
Root cause
The server's PHP configuration has low upload limits. On a fresh WordPress install running the stock PHP image, the defaults are:
| Setting | Default | Typical industry floor |
|---|---|---|
upload_max_filesize |
2 MB | 64 MB |
post_max_size |
8 MB | 64 MB |
memory_limit |
128 MB | 256–512 MB |
A plugin or theme zip larger than upload_max_filesize — or a POST body larger than post_max_size, which includes the file plus form fields — is silently truncated. Any plugin heavier than about 2 MB, which includes most premium plugins, page builders, and WooCommerce extensions, trips this.
How to fix
Raise the PHP limits to the values below. These are what mainstream WordPress hosts (SiteGround, WP Engine, Kinsta) ship by default:
upload_max_filesize = 256M
post_max_size = 256M
memory_limit = 512M
max_execution_time = 300
max_input_time = 300
Where to put this depends on your hosting type:
- Shared / cPanel hosting — add to
php.iniin the WordPress root, or use your host's PHP settings / MultiPHP INI Editor panel. - Managed WordPress hosts — usually a one-click slider in the dashboard, or open a support ticket.
- VPS / Docker — drop an
uploads.inifile in/usr/local/etc/php/conf.d/(Docker) or/etc/php/<ver>/apache2/conf.d/(Linux), then restart PHP/Apache.
After the change, verify in Tools → Site Health → Info → Media Handling — upload_max_filesize should show the new value.
How to confirm this is your problem
- The failing upload's file size is larger than the Maximum upload file size shown on the upload page.
- It only affects large plugin or theme zips. Small ones upload fine.
- Nothing appears in PHP error logs when the upload fails, because PHP rejected it at the web-server level, not during script execution.
Still stuck?
If raising the limits doesn't help, contact support@wpproconverter.com with your host name and the exact file size you tried to upload.