Magento Expert Forum - Improve your Magento experience
-
[ Contributor ]
How To Secure cron.php In Magento 2
In this article I’m going to show you how you can secure cron.php file that is located in pub/cron.php. You may ask Why do I need to secure cron.php? The answer is: When you secure your cron.php, you have secured your Magento 2 store from the malicious exploit. If your cron is unsecured, any user can run Cron to attack your Magento application.
Read Complete Tutorial Here: http://www.cloudways.com/blog/how-to...php-magento-2/
View more threads in the same category:
-
-
Create a password file
First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.
mkdir -p /your/private/directory/password
1
mkdir -p /your/private/directory/password
htpasswd -c /your/private/directory/password/passwords
1
htpasswd -c /your/private/directory/password/passwords
can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:
htpasswd /your/ private / directory /password/passwords
1
htpasswd /your/ private / directory /password/passwords
Secure cron in .htaccess file
Add security for cron in your Magento 2 .htaccess file:
Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
Use the following code in your .htaccess file
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
Require valid-user
1
2
3
4
5
6
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
Require valid-user
Optionally, Group access for cron. Use this code in your .htaccess file.
PHP
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
AuthGroupFile
Require group
1
2
3
4
5
6
7
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
AuthGroupFile
Require group
Save your changes and restart Apache service using this command: service httpd restart
Verifying Cron is Secure
You can verify that if pub/cron.php is working or not, and whether it is creating rows in the cron_schedule database table. When you run cron for the first time from the web browser, the cron_schedule table is updated but pub/cron.php requests run at the configured schedule.
For cron verification, Login to your Magento 2 database as user with root privileges and use this command
mysql -u magento -p
1
mysql -u magento -p
Select your Magento 2 database
use ;
1
use ;
Now delete all rows from cron_schedule table
TRUNCATE TABLE cron_schedule
1
TRUNCATE TABLE cron_schedule
Now Run cron in browser, For example;
http://yourm2store.com/pub/cron.php?group=default when you open the URL, you see authentication popup on your screen, enter the authorized user’s name and password.
Verify whether the rows were added to the table by going to your PHPmyadmin/ MySQL Manager and use this following query:
SELECT * from cron_schedule
1
SELECT * from cron_schedule
If some rows are returned, then you are done with the verification.
Run cron from your web browser
You can run cron using your web browser anytime, e.g. during development. Without security, do not run cron in a web browser and remove restrictions from .htaccess as follows.
Login to your Magento 2 server with the user that has permissions to write to the Magento 2 file system.
Write the following code in your .htaccess file
## Deny access to cron.php
order allow,deny
deny from all
1
2
3
4
5
## Deny access to cron.php
order allow,deny
deny from all
Example
PHP
## Deny access to cron.php
#
#order allow,deny
#deny from all
#
1
2
3
4
5
## Deny access to cron.php
#
#order allow,deny
#deny from all
#
-
-
I did what you has recommended for my Magento project but its still not working. I am now considering outsourcing development of the entire project as it will save my time.
-
-
Junior Member
1. First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.
mkdir -p /your/private/directory/password
htpasswd -c /your/private/directory/password/passwords
can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:
htpasswd /your/ private / directory /password/passwords
2. Secure cron in .htaccess file
Add security for cron in your Magento 2 .htaccess file:
Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
Use the following code in your .htaccess file
AuthType Basic
AuthName "Cron Authentication"
AuthUserFile /usr/local/apache/password/passwords
Require valid-user
-
-
This topic discusses securing pub/cron.php to prevent it from being used in a malicious exploit. If you don’t secure cron, any user could potentially run cron to attack your Magento application.
The Magento cron job runs a number of scheduled tasks and is a vital part of your Magento configuration. Scheduled tasks include, but are not limited to:
-
-
This topic discusses securing pub/cron.php to prevent it from being used in a malicious exploit. If you don’t secure cron, any user could potentially run cron to attack your Magento application.The Magento cron job runs a number of scheduled tasks and is a vital part of your Magento configuration. Scheduled tasks include, but are not limited to:
-
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Bookmarks