After successful installation of Drupal, it is a good practice to put some extra security in place. I did not see it anywhere in Drupal documentation and I get this question all the time so here is the solution:

Once you finish Drupal installation, secure the cron, install and update scripts so that they are only accessible from localhost. Put the following snippet at the end of the .htaccess file in your Drupal installation:

<FilesMatch "[cron|install|update]\.php">
        Order deny,allow
        #Allow from your_public_ips here
        Allow from
        Deny from all