[wp-trac] [WordPress Trac] #52916: can_perform_loopback() should not rely on wp-cron.php check
WordPress Trac
noreply at wordpress.org
Fri Mar 26 05:21:18 UTC 2021
#52916: can_perform_loopback() should not rely on wp-cron.php check
--------------------------------+-----------------------------
Reporter: dvershinin | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 5.7
Severity: minor | Keywords:
Focuses: ui, administration |
--------------------------------+-----------------------------
It is quite often that users would want to prevent/hide access to /wp-
cron.php.
For example, they want to use the real Linux cron scheduler, and invoke
/wp-cron.php only interactively; all while returning "404" on purpose when
/wp-cron.php is requested.
[https://www.getpagespeed.com/server-setup/nginx/best-practice-secure-
nginx-configuration-for-wordpress Here] you can find an NGINX config that
purposely does not list /wp-cron.php as an allowed endpoint, and thus
returning 404 when wp-cron.php is accessed via web, which is fine. The WP
Cron is suggested there to be run via CLI only.
So while the site is still fully functional, WP Admin shows a false-
positive error for the health check: "Your site could not complete a
loopback request".
I propose to:
* use a different endpoint for loopback requests check, something that is
less likely to be disabled by users. wp-json?
* check wp cron being valid using other means, like last run time of a
task.
At the very least, not use /wp-cron.php for any checks when
DISABLE_WP_CRON constant is true.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52916>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list