Cron script

Does it make sense to secure cron.php script from public access with an api key or some kind of password?

It makes sense to put cron scripts outside of the public_html folder where they are not accessible to the public at all and so don’t need an API key or password.

any security would be better that what you seem to have now, a cron.php script (available from the web) and with no password.