This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

📣 Try the fastest hosting platform with pay-as-you-go pricing & 24/7 expert support! MIGRATE NOW →

A Guide About Securing Cron.php in Magento 2

Updated on December 24, 2021

3 Min Read

Cron job helps you to run a number of scheduled tasks on your applications. Same is the case with Magento 2. If you are using Magento 2, you can easily configure Cron job. In this article, I’m going to show you how you can secure cron.php file that is located in pub/cron.php. You may ask Why do I need to secure cron.php? The answer is: When you secure your cron.php, you have secured your Magento 2 store from the malicious exploit. If your cron is unsecured, any user can run Cron to attack your Magento application.

Magento 2 Cron.php

To secure your Cron, you can do the following:

Create a password file

First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.

mkdir -p /your/private/directory/password
htpasswd -c /your/private/directory/password/passwords <username>

<username> can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:

htpasswd /your/ private / directory /password/passwords <username>

Scalable, Super Fast, & Secure Magento Hosting

Our Clients Love us because we never compromise on these features

Secure cron in .htaccess file

Add security for cron in your Magento 2 .htaccess file:

  • Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
  • Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
  • Use the following code in your .htaccess file
<Files cron.php>
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
Require valid-user
</Files>
  • Optionally, Group access for cron. Use this code in your .htaccess file.
<Files cron.php>
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
AuthGroupFile <path to optional group file>
Require group <name>
</Files>

Save your changes and restart Apache service using this command: service httpd restart

Verifying Cron is Secure

You can verify that if pub/cron.php is working or not, and whether it is creating rows in the cron_schedule database table. When you run cron for the first time from the web browser, the cron_schedule table is updated but pub/cron.php requests run at the configured schedule.

  • For cron verification, Login to your Magento 2 database as user with root privileges and use this command
mysql -u magento -p
  • Select your Magento 2 database
use <magento database name>;
  • Now delete all rows from cron_schedule table
TRUNCATE TABLE cron_schedule
  • Now Run cron in browser, For example;

http://yourm2store.com/pub/cron.php?group=default when you open the URL, you see authentication popup on your screen, enter the authorized user’s name and password.

  • Verify whether the rows were added to the table by going to your PHPmyadmin/ MySQL Manager and use this following query:
SELECT * from cron_schedule

If some rows are returned, then you are done with the verification.

Run cron from your web browser

You can run cron using your web browser anytime, e.g. during development. Without security, do not run cron in a web browser and remove restrictions from .htaccess as follows.

  • Login to your Magento 2 server with the user that has permissions to write to the Magento 2 file system.
  • Write the following code in your .htaccess file
## Deny access to cron.php
<Files cron.php>
order allow,deny
deny from all
</Files>

Example

## Deny access  to cron.php
#<Files cron.php>
#order allow,deny
#deny from all
#</Files>

Save your .htaccess file and run the cron in a web browser as follows:

<your magento 2 host name >/<magento 2 root>/pub/cron.php[?group=<group name>]

Where

  • <your Magento 2 host name> is the host name where your Magento 2 is installed.
  • <magento 2 root> is the doc root directory on your web server where you installed Magento 2
  • <group name> is your valid cron group name

The exact URL you use for running Magento 2 application depends on how you configured your web server.

Example,

http://yourm2store.com/magento2/pub/cron.php?group=index

You have just secured your Cron.php file on your Magento 2 store and saved yourself from being hacked. Another important way to secure your Magento 2 from being hacked is to have a hosting service that is reliable, optimized and promptly updated with the latest patches and OS’s. Have your Magento 2 store hosted on Cloudways Managed Magento Hosting and say goodbye to your security worries and slow loading times.

Note: If you run cron with this command, magento can: run, you do not need to do anything. This command uses different types of process that is already secure.

 

Share your opinion in the comment section. COMMENT NOW

Share This Article

Abdur Rahman

Abdur Rahman is the Magento whizz at Cloudways. He is growth ambitious, and aims to learn & share information about Ecommerce & Magento Development through practice and experimentation. He loves to travel and explore new ideas whenever he finds time. Get in touch with him at [email protected]

×

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Thankyou for Subscribing Us!

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour

CYBER WEEK SAVINGS

  • 0

    Days

  • 0

    Hours

  • 0

    Mints

  • 0

    Sec

GET OFFER

For 4 Months &
40 Free Migrations

For 4 Months &
40 Free Migrations

Upgrade Now