[wp-hackers] Development for 2.next

Scott johnson fuzzygroup at gmail.com
Fri Feb 3 15:41:20 GMT 2006

Another concern about psuedo cron being wgetted from a real cron is its a
wondeful attack vector. The right approach, imho, is to add a "cron
password" or security key which is used only for that and unique per
installation (and hopefully never ever shows up in a google referer log) and
then the wget only works if that's installed and otherwise it simulates a
systems failure (phil greenspun trick for fooling attackers -- don't say
"nah nah nah - you suck you hacker" say "systems error").

so a ui field for setting this, changing it, etc, and for allowing wget
inbound cron traffic.  I'd also recommend that the wp-* .php script not be
called cron since it lets people know what it its.  wp-etc.php or something
else.  Yeah security thru obscrity isn't great but every bit helps.


On 2/3/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> Scott Merrill wrote:
> > Owen Winkler wrote:
> >> One thing I've advocated is that there be a direct URL in WP-Cron for
> >> wget'ing it from a real cron.  This would allow for reliable execution
> >> that doesn't potentially delay any site output.  It would still work
> the
> >> same way, executing hooks based on preset intervals, but it could be
> >> made to do it more regularly.
> >
> > I asked in #wordpress for details about this awhile back, but I forget
> > if you answered.  Do you want a single "?cron=go" trigger, which merely
> > executes whatever hook is next scheduled to fire; or do you want more
> > granularity ( "?cron=60" or "?cron=15" ) in order to specifically call
> > just the hooks you want?
> >
> I think that a "?cron=go" is probably sufficient, as long as the cron is
> executed as frequently as wp-cron needs.
> My suggestion would also be to store the last time wp-cron was executed
> via "?cron=go" in options.  Pseudo-cron would not be triggered if the
> option had a time stored for the last "?cron=go" request that was more
> recent than the required minimum duration between cron executions (15
> minutes?).  That way you can avoid a user option for turning off
> pseudo-cron AND have more reliable execution for when cron isn't working
> or is improperly configured, since pseudo-cron would execute if a
> scheduled cron was somehow skipped.
> Owen
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

J. Scott Johnson
Ookles launches 2/28/06 - have you signed up yet?
new startup: http://ookles.com/
blog: http://fuzzyblog.com/
podcast: http://techwarstories.com/
fuzzygroup at gmail.com
aim: fuzzygroup
cell: 857 222 6459

More information about the wp-hackers mailing list