SOLVED: Are WordPress Cron Jobs A Real Vulnerabilty

The answer is “could be” but don’t sweat it.

If you’re like us, you regularly receive emails from supposed “white hat hackers” that have found vulnerabilities in your website and are asking you for a bounty. Here is the latest one that’s been annoying our staff relating to WordPress “cron jobs” (aka scheduled tasks).

Hello, I’m following up on the vulnerability report I submitted. I put considerable effort into identifying and documenting this issue, and I would appreciate it if you could kindly evaluate the report and consider it for a reward.

____________________

Hi, I found a security vulnerability on your website.

Vulnerability: wp-cron file enabled. Summary:  PHP-cron file is enabled. Scheduling posts or publications and really anything date/time oriented is governed by the wp-cron.php file.

Steps to reproduce:
1) Visit https://www.urtech.ca/wp-cron.php
2) You will see a blank page with 200 HTTP status code.
3) You can use the tool Doser for exploiting this
     python3 doser.py -t 999 -g ” https://www.urtech.ca/wp-cron.php “.

Tool link: https://github.com/Quitten/doser.py

Attack scenario: When implemented on a medium or larger site or even a site that is being scanned by bots (which is very common these days), this means you get twice the traffic you are currently handling. It becomes a rudimentary DDoS attack against yourself. This is because the cron is being executed multiple times a minute using an HTTP request. The HTTP request generates additional overhead by having to generate, negotiate and establish the connection over a network socket. It even impacts the effective capacity of your underlying web server. This solution does not fare well in most situations, and honestly, it should be removed as the default behavior due to its propensity to be abused or turned into an attack vector on a server just from regular traffic.

Solution: The only real alternative and the much better solution is to configure a regular system cronjob that executes the wp-cron.php script directly through PHP every minute. This ensures that any scheduled tasks are indeed executed at their scheduled time.

How do I disable the default wp-cron.php behavior? This is pretty universal and simple to do. You need to update your wp-config.php file to include the following setting:
define(‘DISABLE_WP_CRON’, true);

REF1: https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30
REF2: https://github.com/wpscanteam/wpscan/issues/1299

Please look into this issue and let me know if you need more info. Looking forward to your response.

Thanks & Regards,

Personally, I find these sorts of emails as some sort of minor extortion racket because what they purport to be informing you of some serious flaw in a WordPress site that took them “considerable effort to figure out.

The person asking for the bounty found a tiny potential problem, that is by design (not flaw), and they likely did nothing but use a common piece of software to find as many sites as they could with that configuration still enable. It’s more than a bit scammy and we don’t like it.

As for this particular issue, lets address both the problem and the fix.

The Issue With Cron Jobs in WordPress

The person asking us for money is technically correct; this is an issue. However it does not quite rise to the level of being a problem. WordPress could be installed on almost any server host and so the developers of WordPress want to ensure that all core features work regardless of what is hosting it. To that end they run Cron (aka. scheduled tasks) through the WordPress code and that does leave the site open to the unlikely possibility of a DDOS attack.

If you are McDonalds, Microsoft, or Nike, this is a very serious risk and you need to mitigate it immediately. If you are small (ie. < 10,000 visitors per day) like 99.9% of WordPress sites you are not likely to have a DDOS attack involve your site.

How To Fix Cron Job Vulnerability In WordPress

If you are still worried about this, you can easily eliminate the vulnerability by simply disable Cron Jobs in your WordPress installation, and turned on Cron Jobs on the server that hosts your site using cPanel:

How To Disable Cron Jobs in WordPress

WordPress is built on PHP and so you need to spend 5 seconds with an ftp program to edit your wp-config.php file which should be in the root of your website as shown in the screenshot above:

1. Open wp-config.php
2. Scroll to the bottom
3. Add define('DISABLE_WP_CRON', true); just above the /* That's all, stop editing! Happy publishing. */ line

That’s it.

How To Enable Cron Jobs in cPanel

1. Log into your website hosting company’s cPanel
2. Either scroll to the bottom and select CRON JOBS or just search for CRON in the search bar at the top of the page
3. Select how often you want it to look for Cron jobs
   • In the example in the screenshot above, we set www.URTech.ca to run cron twice per hour, a minute 0 and 30
4. Enter this command at the bottom, substituting your URL for URTECH.CA:
   wget -q -O - https://www.urtech.ca/wp-cron.php?doing_wp_cron >/dev/null 2>&1
5. Click the ADD NEW CRON JOB button

That’s it.

Doesn’t WordFence or Other Security Plugins Stop Such Hacks?

In a word, “no”, security plugins do not stop cron job attacks.

While Wordfence (and other robust WordPress security plugins) are excellent at protecting against a wide range of attacks, they have limitations when it comes to the specific “DoS by wp-cron.php” issue we’ve been talking about.

The core problem is that requests to wp-cron.php are, by default, legitimate WordPress requests. They are not inherently malicious in their structure. The issue isn’t about what the request is, but the frequency and impact of those requests on server resources.

If an attacker uses a botnet (a large network of compromised computers), the requests will come from thousands or millions of different, seemingly legitimate IP addresses. Wordfence’s rate limiting would struggle to identify and block these effectively, as each individual IP might only send a few requests, staying under the threshold. A dedicated DDoS mitigation service (like Cloudflare, Sucuri, Akamai) at the network edge is needed for true DDoS protection.

---