In .htaccess add this.

<Location /cronjobs>
order deny,allow
deny from all
allow from 127.0.0.1
</Location>

I included allow from 127.0.0.1 so it can be run from the server, i.e. so the cron can still run.

Put it in a directory, and in that directory create a file called .htaccess with this inside:

<FILESMATCH "\.php$">
  order deny,allow
  deny from all
</FILESMATCH>

Now only the server can access PHP files inside that directory. Example, by include or require.

This is useful for keeping your MySQL password safe, you can put the connection function inside a PHP file in this "protected" directory and include it into your scripts.

Another possible solution if the file is meant to be used exclusively as an include() and not ran standalone by a user who enters it in the url.

Place this code at the top of the file you want to block direct calling of.

if(basename($_SERVER['PHP_SELF']) == 'blockedFile.php')
    {
    header('Location: ./index.php');
    exit();
    }

PHP checks if the file's name is the one being ran directly. If blockedFile.php were included in index.php with include() then basename($_SERVER['PHP_SELF']) would equal index.php. If it were standalone, it would equal blockedFile.php and send the user back to the index page.

One option that you have is to use the $_SERVER values to see if it is a web request or a cli request.

See http://php.net/manual/en/reserved.variables.server.php

I would look at checking to see if the $_SERVER['argv'] value is set at the start of your script(s). If it's not set then exit the script.

Alternatively you can check to see if $_SERVER['SERVER_ADDR'] is set, which would mean it's being executed by the webserver.

Note that I don't have a godaddy account handy to test this, so ensure you verify before going live.

Just put the files outside of the webroot/document root folder.