Cron job helps you to run a number of scheduled tasks on your applications. Same is the case with Magento 2. If you are using Magento 2, you can easily configure Cron job. In this article, I’m going to show you how you can secure cron.php file that is located in pub/cron.php. You may ask Why do I need to secure cron.php? The answer is: When you secure your cron.php, you have secured your Magento 2 store from the malicious exploit. If your cron is unsecured, any user can run Cron to attack your Magento application.
To secure your Cron, you can do the following:
Create a password file
First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.
mkdir -p /your/private/directory/password htpasswd -c /your/private/directory/password/passwords <username>
<username> can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:
htpasswd /your/ private / directory /password/passwords <username>
Scalable, Super Fast, & Secure Magento Hosting
Our Clients Love us because we never compromise on these features
Secure cron in .htaccess file
Add security for cron in your Magento 2 .htaccess file:
- Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
- Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
- Use the following code in your .htaccess file
<Files cron.php> AuthType Basic AuthName "Cron Authentication" AuthUserFile /usr/local/apache/password/passwords Require valid-user </Files>
- Optionally, Group access for cron. Use this code in your .htaccess file.
<Files cron.php> AuthType Basic AuthName "Cron Authentication" AuthUserFile /usr/local/apache/password/passwords AuthGroupFile <path to optional group file> Require group <name> </Files>
Save your changes and restart Apache service using this command: service httpd restart
Verifying Cron is Secure
You can verify that if pub/cron.php is working or not, and whether it is creating rows in the cron_schedule database table. When you run cron for the first time from the web browser, the cron_schedule table is updated but pub/cron.php requests run at the configured schedule.
- For cron verification, Login to your Magento 2 database as user with root privileges and use this command
mysql -u magento -p
- Select your Magento 2 database
use <magento database name>;
- Now delete all rows from cron_schedule table
TRUNCATE TABLE cron_schedule
- Now Run cron in browser, For example;
http://yourm2store.com/pub/cron.php?group=default when you open the URL, you see authentication popup on your screen, enter the authorized user’s name and password.
- Verify whether the rows were added to the table by going to your PHPmyadmin/ MySQL Manager and use this following query:
SELECT * from cron_schedule
If some rows are returned, then you are done with the verification.
Run cron from your web browser
You can run cron using your web browser anytime, e.g. during development. Without security, do not run cron in a web browser and remove restrictions from .htaccess as follows.
- Login to your Magento 2 server with the user that has permissions to write to the Magento 2 file system.
- Write the following code in your .htaccess file
## Deny access to cron.php <Files cron.php> order allow,deny deny from all </Files>
## Deny access to cron.php #<Files cron.php> #order allow,deny #deny from all #</Files>
Save your .htaccess file and run the cron in a web browser as follows:
<your magento 2 host name >/<magento 2 root>/pub/cron.php[?group=<group name>]
- <your Magento 2 host name> is the host name where your Magento 2 is installed.
- <magento 2 root> is the doc root directory on your web server where you installed Magento 2
- <group name> is your valid cron group name
The exact URL you use for running Magento 2 application depends on how you configured your web server.
You have just secured your Cron.php file on your Magento 2 store and saved yourself from being hacked. Another important way to secure your Magento 2 from being hacked is to have a hosting service that is reliable, optimized and promptly updated with the latest patches and OS’s. Have your Magento 2 store hosted on Cloudways Managed Magento Hosting and say goodbye to your security worries and slow loading times.
Note: If you run cron with this command, magento can: run, you do not need to do anything. This command uses different types of process that is already secure.
Customer Review at
“Great speed, features, knowledgebase, dashboard, UX and fast, expert support. Very happy!”
Stefan [Management Consultant]