PHP cron events
WP Crontrol allows administrative users to create and manage events in the WP-Cron system that execute PHP code. This functionality is subject to the restrictive security permissions documented below.
Which users can manage PHP cron events?
Only users with the edit_files
capability can manage PHP cron events in WP Crontrol. If a user does not have the ability to edit files in the WordPress admin area via the Plugin Editor or Theme Editor menu then they cannot add, edit, or delete a PHP cron event.
By default only Administrators have this capability, and with Multisite enabled only Super Admins have this capability.
If file editing has been disabled via the DISALLOW_FILE_MODS
or DISALLOW_FILE_EDIT
configuration constant in WordPress then adding, editing, or deleting a PHP cron event will not be permitted.
Support for the CRONTROL_DISALLOW_PHP_EVENTS
constant is new in WP Crontrol 1.18
If the CRONTROL_DISALLOW_PHP_EVENTS
constant is defined and set to true
then PHP cron events will be disabled completely. Any existing PHP cron events will remain in place but their PHP code will not be executed, and no PHP cron events can be added, edited, or manually run. Users with permission to edit PHP cron events will still be able to delete these events.
Is this feature dangerous?
The user capability required to create, edit, and execute PHP code via WP Crontrol exactly matches that which is required to edit PHP files in a standard WordPress installation. Therefore the user access level required to execute PHP code does not change with WP Crontrol activated.
If you wish to prevent PHP cron events from being added or edited on your site then you can do one of the following:
- Define the
DISALLOW_FILE_MODS
orDISALLOW_FILE_EDIT
configuration constant in yourwp-config.php
file. This will prevent PHP cron events from being added, edited, or deleted. - Define the
CRONTROL_DISALLOW_PHP_EVENTS
constant astrue
in yourwp-config.php
file. This will disable PHP cron events completely, as documented above.
How do I create a new PHP cron event?
In the Tools → Cron Events menu, click on Add New Cron Event. Select the PHP cron event option for the event type and enter the schedule and next run time. In the PHP Code section, enter the PHP code that should be run when your cron event is executed. Do not include the PHP opening <?php
tag.
Fill out any other details as required and press the Add Event button.
Can I lock PHP cron events so that others cannot edit them?
Yes. You can create or edit a PHP cron event, save it, and then define the DISALLOW_FILE_MODS
or DISALLOW_FILE_EDIT
configuration constant as documented above to prevent further changes to the event from the Cron Events screen. The event will continue to run at its scheduled interval as expected but it will not be editable.
If you need to edit the event in the future, you can temporarily remove the relevant configuration constant, make your required changes to the event, and then reinstate the constant to re-lock it.
How can I create a cron event that requests a URL?
You don't need to use a PHP cron event for this. From the Tools → Cron Events menu, click Add New Cron Event and select the URL cron event option. Fill out the details as required and press the Add Event button.
Can the code in PHP cron events be tampered with?
No. The PHP code that's saved in a PHP cron event is protected with an integrity check which prevents it from being executed if the code is tampered with.
PHP cron events are secured via an integrity check that makes use of an HMAC to store a hash of the PHP code alongside the code when the event is saved. When the event runs, the hash is checked to ensure the integrity of the PHP code and confirm that it has not been tampered with. WP Crontrol will not execute the PHP code if the hashes do not match or if a stored hash is not present.
If an attacker with database-level access were to modify the PHP code in an event in an attempt to execute arbitrary code, the code would no longer execute.
The same anti-tampering feature protects URL cron events too.
Why do I see "Needs checking" next to my cron events?
The integrity checking mechanism documented above was introduced in WP Crontrol 1.16.2 (released in March 2024). If you have PHP cron events stored on your site prior to updating to this version or later then you'll need to check and re-save your PHP cron events so the hash can be generated and saved alongside the PHP code.
Otherwise if WP Crontrol is showing you a message saying your PHP or URL cron events need to be checked, this could either mean there is a real problem caused by tampering of the events, or it could be caused by the security salts on your site having been changed.
See here for complete documentation about cron events which need to be checked.