SecurityLow

WP-Cron publicly accessible

The /?doing_wp_cron=1 endpoint responds publicly. WordPress uses it to schedule tasks (emails, updates), but its triggering by visitors can overload the server.

Why it matters

On high-traffic sites, WP-Cron can be triggered dozens of times per second. A bot can also exploit it to generate artificial load.

How to fix

  1. 1

    Disable WP-Cron in wp-config.php

    php
    define('DISABLE_WP_CRON', true);
  2. 2

    Create a real system cron job

    bash
    # Add to crontab (every 15 minutes)
*/15 * * * * php /var/www/votresite/wp-cron.php > /dev/null 2>&1

# Or via WP-CLI (recommended)
*/15 * * * * cd /var/www/votresite && wp cron event run --due-now > /dev/null 2>&1
  3. 3

    Block the public URL via .htaccess

    apache
    # Block public access to WP-Cron
<Files wp-cron.php>
  Order allow,deny
  Deny from all
  Allow from 127.0.0.1
</Files>

Related articles

SecurityWordPress out of date - outdated version detectedSecuritywp-login.php exposed without protection

Ready to fix this issue on your site?

Audit my site for free →