By default, anyone can run cron.php on a Drupal 6 installation. That means everyone with access to your website can run your cron.php file. Since cron.php is used for maintenance it would make sense that it is prevented from being run arbitrarily; whether or not an outsider running it can cause damage is merely a side issue.
If you have configured the cron daemon on your server to run the cron.php file, a few lines in your .htaccess file can ensure that the file is protected from being run by others. You can secure your cron script by simply adding the following lines to the .htaccess file in your Drupal install root folder:
<Files "cron.php"> Order deny,allow Allow from xxx.xxx.xxx.xxx Deny from all </Files>
Replace xxx.xxx.xxx.xxx with the public IP address of your server or the IP address of the machine which you will permit to run cron. What these instructions do, is match any request for "cron.php" and allow it only if it is coming from the allowed IP address.
If you plan to run the cron script from other locations, then feel free to add more "Allow from" directives with the appropriate IP addresses, domain names, or host names as necessary.
After making the changes, if you try to request "cron.php" from an IP address which is not on the allowed list, the server will respond with a 403 Forbidden error. We hope this tutorial on protecting your Drupal cron.php file was helpful.
Check below for some other articles and short tutorials you may find interesting.