Can't you just put the script off of any domain root so it's not accessible via the web?

Yes rocknbil. I thought in that. I'll try it and comment it soon. Thanks.-

The truth is that the script really is a wordpress page. So it must be accessed trough a public path.

My first thought would be in the script, test the environment variables for anything that indicates a public request - like REQUEST_FILENAME, QUERY_STRING, or so on. If found, exit immediately. Often these can be spoofed or not actually sent by web clients, so you'll have to check what variables are incoming, etc. Or you could check the user of the script - the user should be root (I think, which is what executes cron) and any others - apache, nobody, whatever - and disallow if any user other than root requests it.

There may be a better PHP-ish way to prevent this, but overall this should work.

Thanks rocknbil.

Yes, I did tried the recognition of the user and I am not sure of the results. I did the test with exec("whoami") (storing value with wp:update_site_option()) while running through cron, but then I realized of another problems. And I forgot check the results.

I have a private directory /private_path/cron.php (700)
and run cron like me (nomikos) not root.

* * * * * /usr/bin/wget -q -t 1 --delete-after [localhost.localdomain...]

Anyway, I must go out now. Thanks again rocknbil. I will succed! And show it here.

Bye.-

You just need to add this code as the first line of your php file to prevent access from the web

if ($_SERVER["REMOTE_ADDR"] != $_SERVER["SERVER_ADDR"]) die("Invalid Request");

What a cool idea!
I will try it...

Yes, it works perfectly.
Thanks.---

..

[edited by: g1smd at 10:39 am (utc) on Sep. 7, 2009]

For your cron job, you might not need to state the HTTP method or domain name.

I use:

08,38 * * * * /usr/bin/php /var/www/example.com/autoscripts/script7version5.php >> /home/username/logfiles/script7.log

I never run scripts on the quarters. Think about shared-server load.

"I never run scripts on the quarters. Think about shared-server load."
>> OK. good advice.

"08,38 * * * *"
>> * * * * * was only as example.

As I said g1smd, I run a WP script. Finally I did it like this:

if ($_GET['delivery_now']) 
{ 
  # only run from local enviroment 
  if ($_SERVER['REMOTE_ADDR'] != $_SERVER['SERVER_ADDR']) 
  { 
    die('Invalid Request'); 
  } 
   
  $time = time(); 
  $time = date('H:i:s:n:j:Y', $time); 
  $time = explode(':', $time); 
  $today_delivery = mktime(0, 0, 0, $time[3], $time[4], $time[5]); 
  # only one delivery for day 
  if ($today_delivery == get_site_option('celebrations_last_delivery')) 
  { 
    die('Delivery Already Sent'); 
  } 
  update_site_option('celebrations_last_delivery', $today_delivery); 
  # OK, run it       
  daily_function(); 
} 
Question: 
You say that it is possible: 
* * * * * /usr/bin/php /var/www/html/wpmu/index.php?delivery_now=1 
and if it not accept QUERY_STRING, at least: 
* * * * * /usr/bin/php /var/www/html/wpmu/delivery_now.php 
where delivery_now.php being: 
header('location: http : //localhost.localdomain/wpmu/index.php?delivery_now=1');

If it is, believe me, I will spend some time experimenting.