Chapters Close

Secure Direct Access of cron.php File from the Browser

Magento forbids direct access of cron.php file manually from the browser by default via .htaccess if you are using an Apache web server.

## Deny access to cron.php
<Files cron.php>
############################################
## uncomment the lines below to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.
        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user
############################################
        Order allow,deny
        Deny from all
</Files>

To run Cron directly from the browser, we would have to update .htaccess file before calling the “yoursite.com/cron.php” URL from the browser.
For that, you need to comment out these two lines below:

#Order allow,deny
#Deny from all

What is important here is that if you don’t secure cron.php file using HTTP authorization, any user could potentially run Cron by requesting the “http://example.com/cron.php” URL to attack your Magento application.
From the security perspective, it’s very important to uncomment these lines after generating the .htpasswd file:

AuthName "Cron auth"
AuthUserFile ../.htpasswd
AuthType basic
Require valid-user

There are many online tools available to easily generate .htpasswd.

Just be sure about the path of the .htpasswd file. You can easily find its path using the pwd command in the console. Run the command from the directory where the .htpasswd file is placed.

It’s important to place the .htpasswd file somewhere that is not accessible from the web. This is so that folks cannot download the .htpasswd file.

Sometimes developers skip the HTTP authorization step. This omission allows third parties to access the cron.php file directly from the URL.

Always secure your cron.php file with proper .htpasswd placement to prevent unauthorized direct access of cron.php file and protect your Magento store.

Cheers!

Speak your Mind

Post a Comment

Got a question? Have a feedback? Please feel free to leave your ideas, opinions, and questions in the comments section of our post! ❤️

* This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Grow your online business like 2,746 subscribers

    * This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    envelope

    Thank You!

    We are reviewing your submission, and will be in touch shortly.