Skip to content

First draft at hook to control wp-cron.php endpoint. #10438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: trunk
Choose a base branch
from
+53 −12
Open

First draft at hook to control wp-cron.php endpoint. #10438

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e9c6e22
First draft at hook to control wp-cron.php endpoint.
peterwilsoncc Oct 30, 2025
bd3da34
Allow cron endpoint to be cached if bypassd.
peterwilsoncc Oct 30, 2025
5196fa5
multisite
peterwilsoncc Oct 30, 2025
93a44da
Add no-store directive to wp-cron caching.
peterwilsoncc Nov 1, 2025
c589697
Add no-store directive to wp-cron caching.
peterwilsoncc Nov 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 25 additions & 12 deletions src/wp-cron.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,19 +18,11 @@

ignore_user_abort( true );

if ( ! headers_sent() ) {
header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' );
header( 'Cache-Control: no-cache, must-revalidate, max-age=0' );
Comment on lines -22 to -23
Copy link
Member

@westonruter westonruter Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't these headers be left right here? They're now sent in two different places below.

Copy link
Contributor Author

@peterwilsoncc peterwilsoncc Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a slight change: if requests are bypassed the no-caching headers aren't sent as it's safe to cache the endpoint as it doesn't need to hit the database.

Copy link
Member

@westonruter westonruter Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, right. Good point

}

// Don't run cron until the request finishes, if possible.
if ( function_exists( 'fastcgi_finish_request' ) ) {
fastcgi_finish_request();
} elseif ( function_exists( 'litespeed_finish_request' ) ) {
litespeed_finish_request();
}

if ( ! empty( $_POST ) || defined( 'DOING_AJAX' ) || defined( 'DOING_CRON' ) ) {
if ( ! headers_sent() ) {
header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0' );
}
die();
Copy link
Member

@westonruter westonruter Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would seem like a good place to send status_header( 400 ). I'm not sure when this ! empty( $_POST ) || defined( 'DOING_AJAX' ) || defined( 'DOING_CRON' ) condition would happen normally.

}

Expand All @@ -46,6 +38,27 @@
require_once __DIR__ . '/wp-load.php';
}

/** This filter is documented in wp-includes/default-constants.php */
if ( ! apply_filters( 'wp_cron_endpoint_enabled', true ) ) {
if ( ! headers_sent() ) {
header( 'X-WP-Cron: Bypass' );
Copy link
Member

@westonruter westonruter Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of a custom header, what about:

Suggested change
header( 'X-WP-Cron: Bypass' );
status_header( 403 );

Copy link
Contributor Author

@peterwilsoncc peterwilsoncc Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy to do this if batcache caches 403 responses (pending adding output to the page, as discussed on the ticket).

}
die();
}

if ( ! headers_sent() ) {
header( 'Expires: Wed, 11 Jan 1984 05:00:00 GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate, max-age=0' );
header( 'X-WP-Cron: Spawned' );
Copy link
Member

@westonruter westonruter Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of sending this here, what if below where it does:

if ( empty( $crons ) ) {
	die();
}

It could be changed to:

if ( empty( $crons ) ) {
	status_header( 304 );
	die();
} else {
	status_header( 200 );
}

Copy link
Contributor Author

@peterwilsoncc peterwilsoncc Nov 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unsure. It's still a successful request if the cron array is empty, it just happens that there are no jobs to spawn. It would also require the DB request be made before the fast finish.

}

// Don't run cron until the request finishes, if possible.
if ( function_exists( 'fastcgi_finish_request' ) ) {
fastcgi_finish_request();
} elseif ( function_exists( 'litespeed_finish_request' ) ) {
litespeed_finish_request();
}

// Attempt to raise the PHP memory limit for cron event processing.
wp_raise_memory_limit( 'cron' );

Expand Down
28 changes: 28 additions & 0 deletions src/wp-includes/default-constants.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,34 @@ function wp_functionality_constants() {
if ( ! defined( 'WP_CRON_LOCK_TIMEOUT' ) ) {
define( 'WP_CRON_LOCK_TIMEOUT', MINUTE_IN_SECONDS );
}

if ( ! defined( 'DISABLE_WP_CRON' ) ) {
/**
* Filters whether the wp-cron.php endpoint spawns the WP-Cron process.
*
* Use the filter to disable the wp-cron.php endpoint from spawning cron jobs. This
* filter must only be used if an alternative approach to firing cron jobs is enabled
* on the server.
*
* When disabling the wp-cron.php endpoint, you must ensure that cron jobs are still
* fired by using an alternative method such as WP CLI.
*
* For single site installs, the following WP CLI command can be scheduled via a system
* cron job: `wp cron event run --due-now`. For multisite installs, the command must be
* run for each site by specifying the global `--url` parameter.
*
* When disabling the wp-cron.php endpoint via the filter, the filter must be added on
* or prior to the `plugins_loaded` hook to ensure it takes effect.
*
* @since x.x.x
*
* @link https://developer.wordpress.org/cli/commands/cron/event/
*
* @param bool $wp_cron_endpoint_enabled Whether to enable the wp-cron.php endpoint. Default true.
*/
$wp_cron_endpoint_enabled = (bool) apply_filters( 'wp_cron_endpoint_enabled', true );
define( 'DISABLE_WP_CRON', ! $wp_cron_endpoint_enabled );
}
}

/**
Expand Down
Loading