Chapters Close

Secure direct access of cron.php file from the browser

Magento forbids calling the Cron manually from the browser by default from htaccess if you are using Apache webserver.

## Deny access to cron.php
<Files cron.php>
############################################
## uncomment the lines below to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.
        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user
############################################
        Order allow,deny
        Deny from all
</Files>

To run Cron directly from the browser, we would have to update .htaccess file before calling the “yoursite.com/cron.php” URL from the browser.
For that, you need to comment out these two lines below:

#Order allow,deny
#Deny from all

What is important here is that if you don’t secure cron.php file using HTTP authorization, any user could potentially run Cron by requesting the “http://example.com/cron.php” URL to attack your Magento application.
From the security perspective, it’s very important to uncomment these lines after generating the .htpasswd file:

AuthName "Cron auth"
AuthUserFile ../.htpasswd
AuthType basic
Require valid-user

There are many online tools available to easily generate .htpasswd.

Just be sure about the path of the .htpasswd file. We can easily find the path of the .htpasswd file using the pwd command from the directory where the .htpasswd file is placed using the console.

It’s important to place the .htpasswd file somewhere that is not accessible from the web. This is so that folks cannot download the .htpasswd file.

Sometimes developer skips this HTTP authorization step which allows any third party to access the cron.php file directly from the URL.

Cheers!

Speak your Mind

Post a Comment

Got a question? Have a feedback? Please feel free to leave your ideas, opinions, and questions in the comments section of our post! ❤️

* This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Grow your online business like 2,385 subscribers

    * This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    envelope

    Thank You!

    We are reviewing your submission, and will be in touch shortly.