Why not just move the script outside the Web-root of the server and execute it from CLI? This was there is no chance of anyone else executing it.

If you must have it in the webroot (and there should be no reason for it), just make sure that the client for the request is the server you are running it on, and it should be more than enough.

Here is my solution:

In cron.php check if some specific header is sent

cron.php

if (secure_cron_script() === false) {
    echo 'Unauthorized';
    return;
}
echo 'OK';

functions.php

function secure_cron_script () {
    if (DEBUG)
        return true;

    $http_headers = getallheaders();
    if (empty($http_headers['X-My-Cron-token'])
    || $http_headers['X-My-Cron-token'] !== SECURE_CRON_TOKEN) {
        return false;
    }
    return true;
}

How to call cron with curl:

curl --header "X-My-Cron-token: 321123321sd"  https://example.com/cron.php

No IP restriction. No GET/POST. If dev mode, skips restriction. You can put script wherever you want.

You could move your "secret files" into a subfolder, then create a .htaccess file in there that prevents access to that file from everyone, except the server that is running the Cronjob.

Example:

DENY FROM ALL
ALLOW FROM 123.123.123.123

If you have shell access you might also put the scripts outside of the accessible folder and run directly via command line or cronjob like this: php script.php.

This seems rather silly. Why have cron on machine A invoke a script via HTTP on machine B, when you could simply have machine B's native scheduling system (whatever OS it happens to be) do the job itself?

Then you could have the script tucked away somewhere that's not accessible via HTTP and render your security problem completley moot.

If the files are in a folder which shouldn't be locked down completely, wrap those lines in <Files whatever.php>...</Files>

<Files "cron.php">
  Order deny,allow
  Allow from name.of.this.machine
  Allow from another.authorized.name.net
  Allow from 127.0.0.1
  Deny from all
</Files>