InspectWP Logo
Glossary

What is WP-Cron?

February 8, 2026

WP-Cron is WordPress's built-in task scheduler. It handles time-based operations like publishing scheduled posts, checking for plugin and theme updates, sending email notifications, clearing expired transients, and running plugin-specific background tasks. Unlike a traditional system cron, WP-Cron is triggered by page visits rather than running on a fixed schedule.

How WP-Cron Works

Every time someone visits your WordPress site, WordPress checks whether any scheduled tasks (cron jobs) are due to run. If a task is overdue, WordPress executes it during that page load. This approach was chosen because WordPress runs on shared hosting where users typically don't have access to the server's system cron.

The Problem with Traffic-Based Cron

This design has several drawbacks:

  • Low-traffic sites — If your site gets few visitors, scheduled tasks may run hours or even days late. Scheduled posts might not publish on time.
  • High-traffic sites — Cron runs on almost every page load, adding overhead. Multiple visitors can trigger the same cron check simultaneously, causing race conditions.
  • Performance impact — Cron tasks execute during a regular page load, potentially slowing down the response for the visitor who triggered it.
  • Unreliable timing — Tasks are only "checked" on visits, so there's no guarantee they run at exactly the scheduled time.

Common Tasks Using WP-Cron

  • Publishing scheduled posts at a specified date and time
  • Checking for WordPress core, plugin, and theme updates
  • Sending scheduled email digests
  • Cleaning up expired transients from the database
  • Processing background tasks from plugins (WooCommerce orders, form submissions, etc.)
  • Creating automatic backups (UpdraftPlus, etc.)

Switching to a Real System Cron

For better reliability and performance, you can disable WP-Cron's traffic-based triggering and use a real system cron instead:

Step 1: Disable WP-Cron in wp-config.php:

define('DISABLE_WP_CRON', true);

Step 2: Set up a system cron job (via your hosting control panel or crontab):

# Run WP-Cron every 5 minutes
*/5 * * * * wget -q -O - https://example.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1

# Alternative with curl:
*/5 * * * * curl -s https://example.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1

# Alternative with WP-CLI:
*/5 * * * * cd /path/to/wordpress && wp cron event run --due-now >/dev/null 2>&1

Security Considerations

The wp-cron.php file is publicly accessible by default. While it doesn't expose sensitive data, it can be abused in denial-of-service attacks by flooding the endpoint with requests. Some security plugins and server configurations block public access to wp-cron.php and rely solely on system cron.

How InspectWP Helps

InspectWP checks whether your wp-cron.php file is publicly accessible. If you've switched to a system cron and disabled WP-Cron, the endpoint should ideally not be publicly reachable. The report helps you verify your cron configuration.

Previous article

What is oEmbed?

Next article

What is HSTS (HTTP Strict Transport Security)?

Related Articles

Custom Login Page Styling

Enable WordPress Debug Log Safely

Replace WP-Cron with a Real Cron Job

View all articles

Check your WordPress site now

InspectWP analyzes your WordPress site for security issues, SEO problems, GDPR compliance, and performance — for free.

Analyze your site free