This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

This holiday season, maximize your sales through enhanced website performance and 24/7 caring support. SAVE 30% NOW

A Guide About Securing Cron.php in Magento 2

Updated on  8th February

3 Min Read
Reading Time: 3 minutes

Cron job helps you to run a number of scheduled tasks on your applications. Same is the case with Magento 2. If you are using Magento 2, you can easily configure Cron job. In this article, I’m going to show you how you can secure cron.php file that is located in pub/cron.php. You may ask Why do I need to secure cron.php? The answer is: When you secure your cron.php, you have secured your Magento 2 store from the malicious exploit. If your cron is unsecured, any user can run Cron to attack your Magento application.

Magento 2 Cron.php

To secure your Cron, you can do the following:

Create a password file

First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.

<username> can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:

Secure cron in .htaccess file

Add security for cron in your Magento 2 .htaccess file:

  • Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
  • Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
  • Use the following code in your .htaccess file

  • Optionally, Group access for cron. Use this code in your .htaccess file.

Save your changes and restart Apache service using this command: service httpd restart

Verifying Cron is Secure

You can verify that if pub/cron.php is working or not, and whether it is creating rows in the cron_schedule database table. When you run cron for the first time from the web browser, the cron_schedule table is updated but pub/cron.php requests run at the configured schedule.

  • For cron verification, Login to your Magento 2 database as user with root privileges and use this command

  • Select your Magento 2 database

  • Now delete all rows from cron_schedule table

  • Now Run cron in browser, For example; when you open the URL, you see authentication popup on your screen, enter the authorized user’s name and password.

  • Verify whether the rows were added to the table by going to your PHPmyadmin/ MySQL Manager and use this following query:

If some rows are returned, then you are done with the verification.

Run cron from your web browser

You can run cron using your web browser anytime, e.g. during development. Without security, do not run cron in a web browser and remove restrictions from .htaccess as follows.

  • Login to your Magento 2 server with the user that has permissions to write to the Magento 2 file system.
  • Write the following code in your .htaccess file


Save your .htaccess file and run the cron in a web browser as follows:

<your magento 2 host name >/<magento 2 root>/pub/cron.php[?group=<group name>]


  • <your Magento 2 host name> is the host name where your Magento 2 is installed.
  • <magento 2 root> is the doc root directory on your web server where you installed Magento 2
  • <group name> is your valid cron group name

The exact URL you use for running Magento 2 application depends on how you configured your web server.


You have just secured your Cron.php file on your Magento 2 store and saved yourself from being hacked. Another important way to secure your Magento 2 from being hacked is to have a hosting service that is reliable, optimized and promptly updated with the latest patches and OS’s. Have your Magento 2 store hosted on Cloudways Managed Magento Hosting and say goodbye to your security worries and slow loading times.

Note: If you run cron with this command, magento can: run, you do not need to do anything. This command uses different types of process that is already secure.


Share your opinion in the comment section. COMMENT NOW


Cloudways is a European MSP that provides custom cloud design, deployment and management solutions on leading cloud providers.

Start Growing with Cloudways Today.

Our Clients Love us because we never compromise on these

Get Our Newsletter
Be the first to get the latest updates and tutorials.