Skip to content
cjhaas blog

Basically a place that Chris can post solutions to problems so he can easily find them later

cjhaas blog

Basically a place that Chris can post solutions to problems so he can easily find them later

Disable WordPress’s cron for XML-RPC requests

Posted on July 28, 2014 By [email protected]

WordPress has a custom task scheduler that gets fired on every single request to a WordPress site. By “fired” I mean that every request involving WordPress causes a lookup to see if there are any tasks waiting to be run and if so runs them. The tasks are actually run by the server sending itself an HTTP POST asynchronously in the background. This is a pretty nifty way of handling tasks, especially since allowing a page to ask a server to run a scheduled task could expose some ugly security problems across the supported platforms. If you’ve got a high traffic site, however, you might want to disable WordPress’s built-in cron system and manually create a cron job on the server that runs at intervals of your own choosing. You can see an example here for cPanel-based installations that should pretty easily translate across platforms. For Windows I’d recommend either using PowerShell which actually has a command called Invoke-WebRequest with two aliases, curl and wget. If you don’t want to use PowerShell then I’d recommend just downloading either wget or curl from a trusted source.

Recently, however, there’s been some big attacks on WordPress’s XML-RPC and XML-RPC actually still invokes WordPress’s task scheduler the same as a normal request. If you have a stuck or malformed task this can result in every XML-RPC request firing a second HTTP POST to your server thus doubling your traffic. The recommended fix is to look through and audit all of your cron tasks. WordPress doesn’t have a built-in way to do this but, as always, there are plugins for this. I’d recommend WP Crontrol because it always you view, run, edit and delete any tasks.

For a more brute-force method, for instance if you don’t have time to audit your crons or are possibly a system admin without access to WordPress, you can still safely disable XML-RPC for cron jobs. To lookup scheduled tasks WordPress looks for the database option key call cron which holds an array of all of the scheduled tasks. Before getting this option from the database, however, WordPress first kindly asks anyone else if they want to control it by calling the filter `pre_option_cron`. If you return anything other than FALSE the database lookup will be short-circuited. Then, from the cron side of things, if anything other than an array is returned from the option lookup call the cron function aborts. Lastly, XML-RPC calls define a request-level constant called XMLRPC_REQUEST that’s set to TRUE. Putting this all together, you can opt into the filter call for pre_option_cron and return TRUE if that constant is set which will disable cron tasks from running during XML-RPC. The below code shows this off and should work just fine in a theme’s functions.php file.

add_filter(
            'pre_option_cron',
            function( $value )
            {
                //Returning false means to process this request normally.
                //Anything value besides false will be passed directly to the calling function.
                //In our case, _get_cron_array defined in wp-includes/cron.php is the only caller
                //for the cron option and it requires that an array is returned or else it stops (cleanly).
                //Since we're returning the value true we'll safely stop WP's cron from running.
                return defined( 'XMLRPC_REQUEST' ) && true === XMLRPC_REQUEST;
            },
            10,
            1
        );

If you’re running PHP 5.2 or less then you can’t use anonymous functions so you’d want something like this instead:

function vendi_disable_cron_during_xml_rpc( $value )
{
    //Returning false means to process this request normally.
    //Anything value besides false will be passed directly to the calling function.
    //In our case, _get_cron_array defined in wp-includes/cron.php is the only caller
    //for the cron option and it requires that an array is returned or else it stops (cleanly).
    //Since we're returning the value true we'll safely stop WP's cron from running.
    return defined( 'XMLRPC_REQUEST' ) && true === XMLRPC_REQUEST;
}

add_filter(
            'pre_option_cron',
            'vendi_disable_cron_during_xml_rpc'
            10,
            1
        );

If you want to make it easier you can just wrap this into a plugin:

<?php
/*
Plugin Name: Vendi - Disable cron in XMLRPC
Version: 1.0.0
Author: Vendi Advertising (Chris Haas)
Author URI: http://www.vendiadvertising.com/
Description: Disables cron tasks during XMLRPC.
*/

add_filter(
            'pre_option_cron',
            function( $value )
            {
                //Returning false means to process this request normally.
                //Anything value besides false will be passed directly to the calling function.
                //In our case, _get_cron_array defined in wp-includes/cron.php is the only caller
                //for the cron option and it requires that an array is returned or else it stops (cleanly).
                //Since we're returning the value true we'll safely stop WP's cron from running.
                return defined( 'XMLRPC_REQUEST' ) && true === XMLRPC_REQUEST;
            },
            10,
            1
        );

If you are a system admin and cannot log into the WordPress install you can add this plugin as must-use plugin very easily. In the wp-content folder just create another folder called mu-plugins (if it doesn’t already exist) and create a brand new file called disable-cron-for-xml-rpc.php (file name actually doesn’t matter, call it whatever you want) and paste the above plugin code into it. Must-use plugins are auto-activated so you don’t need to log into WordPress however you should probably notify your local WP admin of what you’ve done.

Lastly, if you want to install from a URL you can install from this link

Plugins WordPress

Post navigation

Previous post
Next post

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Google open redirect
  • How to use AI to write code
  • Doctrine/Symfony MariaDB DSN connection string
  • Creating a portable copy of pdftotext from source
  • Gravity Forms shortcode getting extra line breaks when used with ACF

Recent Comments

  • jose luis on #2 – VB.Net iTextSharp Tutorial – Add an image to a document
  • Eliezer Castanon on iTextSharp slightly smarter text extraction strategy
  • javad on How to recompress images in a PDF using iTextSharp
  • MANOUS3784 on Flock is awesome
  • Sang on Flock is awesome

Archives

  • June 2026
  • October 2025
  • November 2023
  • September 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • December 2022
  • September 2022
  • April 2022
  • October 2021
  • September 2021
  • April 2021
  • January 2021
  • October 2020
  • August 2020
  • June 2020
  • May 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • May 2019
  • December 2018
  • October 2018
  • July 2018
  • November 2017
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • September 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • November 2013
  • May 2013
  • April 2013
  • March 2013
  • January 2013
  • November 2012
  • October 2012
  • July 2012
  • March 2012
  • January 2012
  • October 2011
  • September 2011
  • July 2011
  • February 2011
  • December 2010
  • November 2010
  • October 2010
  • September 2010
  • August 2010
  • June 2010
  • April 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009

Categories

  • Accessibility
  • Advanced Custom Fields
  • Authorize.Net
  • BWP Minify
  • Composer
  • Crappy Google Search Results of the Day
  • CSS
  • Doctrine
  • Drupal
  • Drush
  • Elasticsearch
  • Fun links of the day
  • Google Analytics
  • Gravity Forms
  • HHVM
  • HTML
  • iTextSharp
  • JavaScript
  • Linux
  • mysql
  • nginx
  • Optimization
  • PDF
  • PdfPTable
  • PHP
  • Plugins
  • Ramblings
  • Random things I learned
  • Redis
  • Security
  • simplesamlphp
  • SQL Server
  • SSH
  • SSL/TLS/HTTPS
  • Stack Overflow
  • SVG
  • Symfony
  • Synology
  • Uncategorized
  • Unicode
  • Varnish
  • Vendi Best Practice
  • VIP
  • Weird Google Search Results
  • Windows
  • WordPress
  • WP-CLI

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
©2026 cjhaas blog | WordPress Theme by SuperbThemes