There are a few different things to discuss here. The short answer is that you don’t need the kind of security check you’re thinking of.
Let’s say you create your query to delete the info, and make a scheduler to run it.
What bad things could happen if someone figured out how to run it outside of the schedule? Your data would get deleted more often, which I suspect is fine.
What if they wanted to DDOS your site, and run it a hundred times per second? That’s unlikely, but COULD happen.
You could create an entry in the options table that says when it was run last, and in your code check that entry, and make sure the query doesn’t run more often then every 24 hours. Update your option every time it DOES run.
They could still call your script a 100 times per second, but it won’t do much besides check that option.
So circling back, this is a pretty safe script you’re making. Just think about how it COULD be abused and do whatever you need to to stop that.
Unless WP_CRON is set up to be run as a system CRON task, scheduled events are run when users access the site. Take a look at your browser’s network tab when you access your site…occasionally you’ll see POST requests to wp-cron.php.
I suggest that you set up your DB pruning script as a standalone system CRON task. You can place the script above the document root to insure the outside world cannot access it, or if you want the script in the WP root directory, you can add a simple directive to the .htaccess file to block access.
Thank you both for your responses.
@topher1kenobe : I like your suggestion of using an options table entry and you’ve given me something to think about.
@diondesigns : I have replaced wp cron with a system CRON task. I like the idea of placing the script above root however not so keen on running it from a CRON task in cPanel simply because I’m not sure how many scheduled events I may want to implement and it isn’t easy to organise tasks in cPanel’s CRON manager. Is there any reason why I shouldn’t call the script (if it were placed above root) from within my function in wordpress using require_once or include_once? It doesn’t feel like the “wordpress way” of doing things yet moving wp-config above root appears to be a legitimate thing to do so maybe it would be OK??
