#64373 closed defect (bug) (wontfix)
To developers bug report / suggestions:
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.9 |
| Component: | Cron API | Keywords: | reporter-feedback |
| Focuses: | Cc: |
Description
After investigation of the issue of our corporate mirror website we noticed that the new core gives lots of API calls to different services.
Heartbeat API
WP-Cron: Core updates checks, Plugin/theme update checks, Health checks & transient cleanup etc.
What we have: A cron event crashes or times out → never clears → gets rescheduled → retried on almost every page load – New scheduled tasks related to site health / auto-updates / recovery.
Site Health / Background Checks
Too many, too often REST API checks for availability, Loopback requests, Background updates availability, HTTPS / SSL cert, etc.
Adding here: Auto-Updates / Background Updater
If update checks keep failing (DNS, WAF, connectivity to api.wordpress.org / downloads.wordpress.org):
Cron sees failures
Retries aggressively
Constant remote HTTP calls:
6.9 may have slightly changed behavior around self-repair, auto-rollback, or core health, causing more chatter.
Recovery Mode hooks may:
Re-check, re-log, re-filter
Try to generate links, notifications
Additional note: it is important to know that Cloudflare covers 30% of the global internet, so working with them is essential as there are millions of WordPress users out there.
Two things happened at the same time.
WordPress 6.9 core update – really is misbehaving on some stacks (including Cloudflare setups).
Cloudflare itself had a major global outage on Dec 5 that hit dashboards and APIs.
On December 5, Cloudflare acknowledged a big incident:
Around 40% of global traffic impacted, including dashboard + API requests (that includes great number of WordPress users).
Root cause: an internal change in their WAF / React security patch that went wrong, not an attack.
That means:
Any time a browser → Cloudflare dashboard, or Cloudflare → origin/API, those paths could stall or fail.
From our point of view: “admin suddenly loads in 10 minutes” – because the route, not our server (any server in that matter), was choking.
WordPress 6.9 new core introduction (separate but overlapping).
At the same time:
Agencies are reporting 6.9 breaking big plugins like WooCommerce, Yoast SEO and Elementor unless they’re updated in a specific order.
Other tests show 6.9 can be very fast on frontend, on clean, managed stacks with their own CDN, with no essential plugins: no Wordfence, no Hummingbird, no Yoast SEO, and no Cloudflare.
A Reddit thread from a few days ago shows people with permanent 100% CPU usage on 6.9, especially:
when using the Cloudflare plugin, and
when editing posts (backend side)
So:
On “nice” hosting, with compatible plugins, 6.9 ≈ speed boost.
On more complex / Cloudflare-heavy setups, 6.9 + certain plugins ≈ CPU lock, admin lag, or total freeze.
So what we, as well as many other users, experienced is a major “stack” of API calls, which were repeatedly trying to get through. We noticed on our logs around 7k API calls for cron and checks in 1 min from WordPress 6.9.
Suggestion for the new version 6.9.1:
Perhaps combining API calls as one to one service only – would be a solution for millions.
Working with developers of Cloudflare and making it compatible.
Thank you for your attention.
Regards
Ana – developer
Change History (3)
#2
@
2 months ago
- Resolution set to wontfix
- Status changed from new to closed
Hi Aaron @jorbin ,
Thanks for getting back to me. I'm not much of a developer - just basics.
I'm a communication girl from a media company, our company's core is WordPress, and we are using Cloudflare advanced services.
I'd like to share the point of a person who deeply admires the great development of WordPress developers, and visionary of Cloudflare developers.
I'd like to share my point: WordPress is a great core system for all modern sites, easy to use by big teams, not always computer friendly. Disney, Louis Vuitton - you name it - all are using WordPress. They gave up local developers' work and prefer WordPress. It is so important to work on a global scale. WordPress is a great, modern and dynamic system. Yes, we already figured out API calls, delays that you introduced for 6.9 to make performance priority.BUT you also have to know that modern hackers use API endpoints and sophisticated AI tools.So Cloudflare here is to protect these endpoints against these attacks. Cloudflare's developer team is great and visionary - banks, police departments, global stores - all using Cloudflare, as Cloudflare made WAF as a primary priority.
Do you need a girl like me to put great developer teams together? Yes, they have time. Both of you are actually making the global internet of today.Working together is imperative.I can't contribute to development, but devs from Cloudflare can.
If you can give me an email - normal email - I'll write to both you and Mathiew Prince and Tony Van den Berge explaining how it is important to work together. And surely they'll have a dedicated team to work together. And that would be much more useful than our devs analyses and my bumbling.
What do you think?
Ana
hi @hellobonjour2025, welcome to WordPress Trac.
You seem to be mentioning a handful of things, so I am going to try to address all of them but please note that Trac is used for tracking specific bugs and/or enhacements, not for general feedback.
If the team from Cloudlare, a commercial service, wishes to donate some time to WordPress, they are welcome to. If you are a customer I would encourage you to work with your account manager to make sure they know you want them to focus on ensuring they work well with WordPress.
There are three types of calls:
heartbeat_settingsfilter.If you are interested in working on changing one of these, I would encourage you to open a ticket for that one task. If I missed something you are looking to discuss, please comment here otherwise I will plan to close this out.