[wp-trac] [WordPress Trac] #52916: can_perform_loopback() should not rely on wp-cron.php check

WordPress Trac noreply at wordpress.org
Fri Mar 26 05:21:18 UTC 2021


#52916: can_perform_loopback() should not rely on wp-cron.php check
--------------------------------+-----------------------------
 Reporter:  dvershinin          |      Owner:  (none)
     Type:  enhancement         |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Administration      |    Version:  5.7
 Severity:  minor               |   Keywords:
  Focuses:  ui, administration  |
--------------------------------+-----------------------------
 It is quite often that users would want to prevent/hide access to /wp-
 cron.php.

 For example, they want to use the real Linux cron scheduler, and invoke
 /wp-cron.php only interactively; all while returning "404" on purpose when
 /wp-cron.php is requested.

 [https://www.getpagespeed.com/server-setup/nginx/best-practice-secure-
 nginx-configuration-for-wordpress Here] you can find an NGINX config that
 purposely does not list /wp-cron.php as an allowed endpoint, and thus
 returning 404 when wp-cron.php is accessed via web, which is fine. The WP
 Cron is suggested there to be run via CLI only.

 So while the site is still fully functional, WP Admin shows a false-
 positive error for the health check: "Your site could not complete a
 loopback request".

 I propose to:

 * use a different endpoint for loopback requests check, something that is
 less likely to be disabled by users. wp-json?
 * check wp cron being valid using other means, like last run time of a
 task.

 At the very least, not use /wp-cron.php for any checks when
 DISABLE_WP_CRON constant is true.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52916>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list