Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect external WP-Cron #750

Open
thetwopct opened this issue Mar 14, 2023 · 3 comments
Open

Protect external WP-Cron #750

thetwopct opened this issue Mar 14, 2023 · 3 comments
Assignees
@cjyabraham
Labels
nice to have Not required for deployment

Comments

@thetwopct
Copy link
Collaborator

From WP Scan:

The external WP-Cron seems to be enabled: https://events.linuxfoundation.org/wp/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - wpscanteam/wpscan#1299
@thetwopct thetwopct self-assigned this Mar 16, 2023
@thetwopct
Copy link
Collaborator Author

From reading the Pantheon docs it seems that using WP Cron is not recommended:
https://docs.pantheon.io/guides/wordpress-developer/wordpress-cron

Pantheon's WordPress upstream disables WP-Cron by default.

If I understand it correctly, they recommend disabling WP-Cron and then relying on the Pantheon Cron to trigger WP Cron.

@cjyabraham Could you take a look and see what you think?

@thetwopct thetwopct assigned cjyabraham and unassigned thetwopct Mar 16, 2023
@cjyabraham
Copy link
Collaborator

cjyabraham commented Mar 16, 2023
edited
Loading

Ok. I can see the benefit, in general, of using Pantheon cron instead of wp-cron. I guess one downside to consider is it ties us more closely to Pantheon which would make any future platform change more difficult.

In our case, I'm not sure we really face a problem with running wp-cron. Perhaps we should check our server logs to see if it is getting attacked directly in a ddos attack? I don't think wp-cron would be run too often from regular site traffic because 99% of our traffic will hit the cache.

These are just my initial thoughts and the issue requires more research...

@cjyabraham
Copy link
Collaborator

I re-read this doc. I wouldn't say that Pantheon is recommending people not use wp-cron, it's just that they provide Pantheon cron activated by default instead of wp-cron. I don't think there are any particular downsides to using wp-cron we need to worry about right now, from what it says on that page.

From reading the links provided in wpscan output, it doesn't seem they can say anything conclusive regarding wp-cron being and ddos attack service, however, it is true that we can hit the url here and it returns a 200, whether you are logged in to the wp-admin or not. This means users can bypass the cache CDN layer and hit the site directly through this url, causing system churn. Is that a problem? The rest of the site will still be served via CDN so won't register any slowdown. The difference will only come when the cache needs to rebuild from source as it does, once every 6hrs, or if an editor is editing in the wp-admin.

I think basically we're quite protected from DDOS attacks since 99% of requests get served by edge nodes of the CDN, so there's no centralized attack surface for any DDOS. For an attack to be successful, it would need to overwhelm several hundred CDN nodes at the same time.

We can keep this issue open in case other thoughts arise.

@cjyabraham cjyabraham added the nice to have Not required for deployment label May 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cjyabraham cjyabraham

Labels
nice to have Not required for deployment
Projects
lfevents
Status: Later
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjyabraham @thetwopct