I’ve seen a few of these trolling attempts now, so it’s worth clarifying for businesses using WordPress.
These security “researchers” are sending official looking vulnerability reports claiming WordPress sites have a critical DDoS vulnerability in wp-cron.php. Complete bullshit designed to extract payment from unsuspecting website owners.
WordPress provides wp-cron.php as a legitimate scheduling system for background processes like checking for updates, publishing scheduled posts, and running plugin maintenance tasks. When someone visits /wp-cron.php on a WordPress site, it checks for scheduled tasks and runs overdue ones. This is normal functionality, not a vulnerability.
Understanding the False Claims
These fake vulnerability reports typically claim that wp-cron.php exposes your site to DDoS attacks because attackers can flood the endpoint with requests. Any web endpoint can be flooded with requests – this isn’t specific to wp-cron.php and doesn’t constitute a vulnerability.
The file, wp-cron.php, handles WordPress cron system. That is, it handles running scheduled tasks for WordPress. It is intended to be publicly accessible. That isn’t a security risk.
The scammers behind these reports often reference CVE-2023-22622, but this CVE doesn’t represent a true vulnerability. Their proof of concept involved sending 999 requests to the file on the website at once. That could cause a website to stop functioning no matter what is requested, unless the server is designed to handle that level of load.
Check for the Vulnerability
We should still verify our wp-cron.php configuration follows best practices. Here’s how to properly assess your site:
Verify Your Protection
First, examine your site’s HTTP headers when accessing wp-cron.php directly:
curl -I https://www.yourcompany.com/wp-cron.php
Look for cache headers like cf-edge-cache: cache,platform=wordpress or similar indicators that your hosting provider is already protecting the endpoint.
Check wp-config.php Settings
Check your wp-config.php file for this line:
define( 'DISABLE_WP_CRON', true );
If this setting exists, wp-cron is already disabled from running on page loads. Most quality hosting providers have already implemented this or similar protections.
Why You Might Want to Disable WP-CRON Anyway
While wp-cron.php isn’t a security vulnerability, there are legitimate performance reasons to disable it in favor of server-level cron jobs. By default, the wp-cron.php fires on every page load, which on high-traffic sites can cause problems.
If you don’t see the DISABLE_WP_CRON configuration option in wp-config.php and you’re hosting at WPEngine or Kinsta, you can enable it through your hosting panels.
Disable WP-CRON Properly
Add this line to your wp-config.php file before the “Happy blogging” comment:
define( 'DISABLE_WP_CRON', true );
Set Up Real Cron Jobs
After disabling wp-cron, you’ll need a replacement. Most hosting providers offer cron job management through their control panels.
For cPanel hosts, create a cron job with this command running every 15 minutes:
*/15 * * * * wget -q -O - https://yourdomain.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1
This runs every 15 minutes instead of on every page load, eliminating the performance impact.
Disable WP Cron on WPEngine
WPEngine provides an “Alternate Cron” feature that replaces the default wp-cron behavior. To enable Alternate Cron, simply reach out to WP Engine Support. This runs on their servers independently of site traffic.
Simply adding disabling wp cron within the environment’s config file will not enable WP Engine alternate cron on its own. Be sure to follow the steps above to properly enable alternate cron for the environment.
Disable WP Cron on Kinsta
We deal with a lot of high-traffic and demanding sites at Kinsta. Because of this, we’ve seen a lot of performance issues with the WordPress built-in Cron handler: WP-Cron.
You can disable wp-cron through your wp-config.php file, then Kinsta’s default server cron will handle scheduled tasks automatically. On Kinsta, this will not stop cron from running because each server has server-level cron enabled by default. DISABLE_WP_CRON only disables the WordPress poor-man-cron.
Responding to Scam Reports
When you receive these fake vulnerability reports, ignore them completely. The senders are asking for payment to “fix” the non-existent vulnerability. Emails like that are referred to as beg bounties based on the people sending them asking for money if you engage them further on this.
Legitimate security researchers don’t operate this way. Real vulnerabilities are reported through proper channels like the WordPress security team, not through unsolicited emails demanding payment.
Conclusion
WordPress wp-cron.php is not a vulnerability despite what these scam reports claim. The functionality is working as designed and has been protected by hosting providers for over a decade. Focus your security efforts on legitimate concerns like keeping WordPress core, themes, and plugins updated rather than worrying about fake vulnerability reports.
If you want to optimize performance by disabling wp-cron in favor of server-level cron jobs, that’s a worthwhile improvement. But do it for performance reasons, not because someone sent you a bogus security report.