Magento Expert Forum - Improve your Magento experience

Results 1 to 6 of 6

How To Secure cron.php In Magento 2

  1. #1
    [ Contributor ] Wajid Hussain's Avatar
    Join Date
    Nov 2014
    Posts
    204
    Thanks
    3
    Thanked 14 Times in 12 Posts

    Default How To Secure cron.php In Magento 2

    In this article I’m going to show you how you can secure cron.php file that is located in pub/cron.php. You may ask Why do I need to secure cron.php? The answer is: When you secure your cron.php, you have secured your Magento 2 store from the malicious exploit. If your cron is unsecured, any user can run Cron to attack your Magento application.

    Read Complete Tutorial Here: http://www.cloudways.com/blog/how-to...php-magento-2/

    View more threads in the same category:


  2. #2
    Junior Member
    Join Date
    Mar 2016
    Posts
    20
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Create a password file

    First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.


    mkdir -p /your/private/directory/password
    1
    mkdir -p /your/private/directory/password

    htpasswd -c /your/private/directory/password/passwords
    1
    htpasswd -c /your/private/directory/password/passwords
    can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:


    htpasswd /your/ private / directory /password/passwords
    1
    htpasswd /your/ private / directory /password/passwords
    Secure cron in .htaccess file

    Add security for cron in your Magento 2 .htaccess file:

    Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
    Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
    Use the following code in your .htaccess file


    AuthType Basic
    AuthName "Cron Authentication"
    AuthUserFile /usr/local/apache/password/passwords
    Require valid-user

    1
    2
    3
    4
    5
    6

    AuthType Basic
    AuthName "Cron Authentication"
    AuthUserFile /usr/local/apache/password/passwords
    Require valid-user

    Optionally, Group access for cron. Use this code in your .htaccess file.
    PHP


    AuthType Basic
    AuthName "Cron Authentication"
    AuthUserFile /usr/local/apache/password/passwords
    AuthGroupFile
    Require group

    1
    2
    3
    4
    5
    6
    7

    AuthType Basic
    AuthName "Cron Authentication"
    AuthUserFile /usr/local/apache/password/passwords
    AuthGroupFile
    Require group

    Save your changes and restart Apache service using this command: service httpd restart

    Verifying Cron is Secure

    You can verify that if pub/cron.php is working or not, and whether it is creating rows in the cron_schedule database table. When you run cron for the first time from the web browser, the cron_schedule table is updated but pub/cron.php requests run at the configured schedule.

    For cron verification, Login to your Magento 2 database as user with root privileges and use this command

    mysql -u magento -p
    1
    mysql -u magento -p
    Select your Magento 2 database

    use ;
    1
    use ;
    Now delete all rows from cron_schedule table

    TRUNCATE TABLE cron_schedule
    1
    TRUNCATE TABLE cron_schedule
    Now Run cron in browser, For example;
    http://yourm2store.com/pub/cron.php?group=default when you open the URL, you see authentication popup on your screen, enter the authorized user’s name and password.

    Verify whether the rows were added to the table by going to your PHPmyadmin/ MySQL Manager and use this following query:

    SELECT * from cron_schedule
    1
    SELECT * from cron_schedule
    If some rows are returned, then you are done with the verification.

    Run cron from your web browser

    You can run cron using your web browser anytime, e.g. during development. Without security, do not run cron in a web browser and remove restrictions from .htaccess as follows.

    Login to your Magento 2 server with the user that has permissions to write to the Magento 2 file system.
    Write the following code in your .htaccess file

    ## Deny access to cron.php

    order allow,deny
    deny from all

    1
    2
    3
    4
    5
    ## Deny access to cron.php

    order allow,deny
    deny from all

    Example

    PHP

    ## Deny access to cron.php
    #
    #order allow,deny
    #deny from all
    #

    1
    2
    3
    4
    5
    ## Deny access to cron.php
    #
    #order allow,deny
    #deny from all
    #

  3. #3
    New member
    Join Date
    Sep 2018
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    I did what you has recommended for my Magento project but its still not working. I am now considering outsourcing development of the entire project as it will save my time.

  4. #4
    Junior Member aishwaryaV's Avatar
    Join Date
    Sep 2018
    Location
    Noida, India
    Posts
    31
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    1. First, you need to create a password file at any place of your web server, except doc root, with the help of these commands.

    mkdir -p /your/private/directory/password
    htpasswd -c /your/private/directory/password/passwords


    can be the web server user or any other user. I used web server as an example, but the choice of the user is up to you. To add another user to your password file, use the following command with the user who have root privileges:

    htpasswd /your/ private / directory /password/passwords

    2. Secure cron in .htaccess file

    Add security for cron in your Magento 2 .htaccess file:

    Log in to your Magento 2 server with the user id of the owner of Magento 2 file system.
    Go to your Magento 2 install dir/pub/ .htaccess and open your .htaccess in text editor.
    Use the following code in your .htaccess file


    AuthType Basic
    AuthName "Cron Authentication"
    AuthUserFile /usr/local/apache/password/passwords
    Require valid-user

  5. #5
    Senior Member
    Join Date
    Aug 2018
    Posts
    107
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    This topic discusses securing pub/cron.php to prevent it from being used in a malicious exploit. If you don’t secure cron, any user could potentially run cron to attack your Magento application.

    The Magento cron job runs a number of scheduled tasks and is a vital part of your Magento configuration. Scheduled tasks include, but are not limited to:

  6. #6
    Senior Member
    Join Date
    Aug 2018
    Posts
    107
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    This topic discusses securing pub/cron.php to prevent it from being used in a malicious exploit. If you don’t secure cron, any user could potentially run cron to attack your Magento application.The Magento cron job runs a number of scheduled tasks and is a vital part of your Magento configuration. Scheduled tasks include, but are not limited to:

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •