Disable WordPress’s cron for XML-RPC requests

WordPress has a custom task scheduler that gets fired on every single request to a WordPress site. By “fired” I mean that every request involving WordPress causes a lookup to see if there are any tasks waiting to be run and if so runs them. The tasks are actually run by the server sending itself an HTTP POST asynchronously in the background. This is a pretty nifty way of handling tasks, especially since allowing a page to ask a server to run a scheduled task could expose some ugly security problems across the supported platforms. If you’ve got a high traffic site, however, you might want to disable WordPress’s built-in cron system and manually create a cron job on the server that runs at intervals of your own choosing. You can see an example here for cPanel-based installations that should pretty easily translate across platforms. For Windows I’d recommend either using PowerShell which actually has a command called Invoke-WebRequest with two aliases, curl and wget. If you don’t want to use PowerShell then I’d recommend just downloading either wget or curl from a trusted source.

Recently, however, there’s been some big attacks on WordPress’s XML-RPC and XML-RPC actually still invokes WordPress’s task scheduler the same as a normal request. If you have a stuck or malformed task this can result in every XML-RPC request firing a second HTTP POST to your server thus doubling your traffic. The recommended fix is to look through and audit all of your cron tasks. WordPress doesn’t have a built-in way to do this but, as always, there are plugins for this. I’d recommend WP Crontrol because it always you view, run, edit and delete any tasks.

For a more brute-force method, for instance if you don’t have time to audit your crons or are possibly a system admin without access to WordPress, you can still safely disable XML-RPC for cron jobs. To lookup scheduled tasks WordPress looks for the database option key call cron which holds an array of all of the scheduled tasks. Before getting this option from the database, however, WordPress first kindly asks anyone else if they want to control it by calling the filter `pre_option_cron`. If you return anything other than FALSE the database lookup will be short-circuited. Then, from the cron side of things, if anything other than an array is returned from the option lookup call the cron function aborts. Lastly, XML-RPC calls define a request-level constant called XMLRPC_REQUEST that’s set to TRUE. Putting this all together, you can opt into the filter call for pre_option_cron and return TRUE if that constant is set which will disable cron tasks from running during XML-RPC. The below code shows this off and should work just fine in a theme’s functions.php file.

add_filter(
            'pre_option_cron',
            function( $value )
            {
                //Returning false means to process this request normally.
                //Anything value besides false will be passed directly to the calling function.
                //In our case, _get_cron_array defined in wp-includes/cron.php is the only caller
                //for the cron option and it requires that an array is returned or else it stops (cleanly).
                //Since we're returning the value true we'll safely stop WP's cron from running.
                return defined( 'XMLRPC_REQUEST' ) && true === XMLRPC_REQUEST;
            },
            10,
            1
        );

If you’re running PHP 5.2 or less then you can’t use anonymous functions so you’d want something like this instead:

function vendi_disable_cron_during_xml_rpc( $value )
{
    //Returning false means to process this request normally.
    //Anything value besides false will be passed directly to the calling function.
    //In our case, _get_cron_array defined in wp-includes/cron.php is the only caller
    //for the cron option and it requires that an array is returned or else it stops (cleanly).
    //Since we're returning the value true we'll safely stop WP's cron from running.
    return defined( 'XMLRPC_REQUEST' ) && true === XMLRPC_REQUEST;
}

add_filter(
            'pre_option_cron',
            'vendi_disable_cron_during_xml_rpc'
            10,
            1
        );

If you want to make it easier you can just wrap this into a plugin:

<?php
/*
Plugin Name: Vendi - Disable cron in XMLRPC
Version: 1.0.0
Author: Vendi Advertising (Chris Haas)
Author URI: http://www.vendiadvertising.com/
Description: Disables cron tasks during XMLRPC.
*/

add_filter(
            'pre_option_cron',
            function( $value )
            {
                //Returning false means to process this request normally.
                //Anything value besides false will be passed directly to the calling function.
                //In our case, _get_cron_array defined in wp-includes/cron.php is the only caller
                //for the cron option and it requires that an array is returned or else it stops (cleanly).
                //Since we're returning the value true we'll safely stop WP's cron from running.
                return defined( 'XMLRPC_REQUEST' ) && true === XMLRPC_REQUEST;
            },
            10,
            1
        );

If you are a system admin and cannot log into the WordPress install you can add this plugin as must-use plugin very easily. In the wp-content folder just create another folder called mu-plugins (if it doesn’t already exist) and create a brand new file called disable-cron-for-xml-rpc.php (file name actually doesn’t matter, call it whatever you want) and paste the above plugin code into it. Must-use plugins are auto-activated so you don’t need to log into WordPress however you should probably notify your local WP admin of what you’ve done.

Lastly, if you want to install from a URL you can install from this link

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.