In order to understand this bug I first read through the Wordfence blog post and then read through through the Redux Framework source code to fill in the gaps. I also installed Wordpress with this plugin so that I didn’t have to test things blindly. The relevant code is in inc/class.redux_instances.php. The first hook I looked at is this one: $hash = md5( trailingslashit( network_site_url() ) . '-redux' ); add_action( 'wp_ajax_nopriv_' .