After the site has been up for a while, I noticed that my logs were getting spammy with calls to wp-cron.php. WordPress needs to schedule maintenance and background tasks, but it can only run while PHP is serving a request. Therefore, WordPress uses page visits as a kind of clock tick to kick the scheduler. On page visits, WordPress sends an extra HTTPS request to itself on every incoming request up to once per minute. This imposes a lot of overhead and generates noise in the logs, and reduced visibility means a greater chance of missing important messages.

I disabled wp-cron by setting in my wp-config.php file:

define(‘DISABLE_WP_CRON’, true);

Next, I created a new docker container that explicitly calls PHP on wp-cron.php at a regular interval. Not only does this mean tasks now run more consistently because the scheduler is decoupled from page visits, but also this change means I won’t see cron activity as HTTP requests in my logs, improving log readability.

The next day, I began to notice an increase in bots using the WordPress REST API to dump structured website content, especially my list of users and user metadata. This is a potential security issue in both the sensitive information and possible attack surface sense, so the pool is now closed to unauthenticated users.

{"code":"rest_cannot_access","message":"DRA: Only authenticated users can access the REST API.","data":{"status":401}}

Humans don’t speak JSON!

Addendum: I understand why WordPress has a Rest API. It enables working with your WordPress data in new ways. However, I am not using it for unauthenticated access. I have no interest in making the lives of bots and content scrapers easier.