How to harden your MODX Revolution installation

Published on: - 2 months, 2 weeks ago

An article tagged as: linux, modx

Twitter Google+ Facebook Reddit

Overview

MODX Revolution, like all CMS's, could be exploited by unscrupulous individuals. Here are some adjustments to make your MODX install more robust and harder to hack.

Prepare current MODX

Before we start, we need to make sure that your current MODX installation is backed-up.

Clear the cache and sessions via Manager

On your source installation, log into Manager then do the following:-

  • Manage → Clear Cache
  • Manage → Logout All Users

Clear the cache via SSH

SSH into your source webserver. Change directory to your source MODX install.

Some cache files will still be there, we want to remove them all. Be careful of this command.

$ rm -rf core*/cache/*

Dump the database

We want to have a safe copy of our database.

Make sure you have the database name, user and password. These details can be found in core*/config/config.inc.php.

Now dump the database, making sure you replace database_user and database_name with your database name and user name.

$ mysqldump -u database_user -p database_name > database_name.sql

Backup existing set-up

Plan for the worst!! So lets backup your current set-up.

Use tar to make a safe backup of your files, just in case!

$ tar -cvzf backup.tar.gz .

If for some reason you have files or folders that you want to exclude from the backup, you can use --exclude

$ tar -cvzf backup.tar.gz . --exclude='myfolder'

You can download this archive file using an ftp program like FileZilla.

Harden MODX

Set admin username

Log into Manager then do the following:-

  • From the toolbar select ManageUsers
  • Right click your Admin user and select Update user
  • Enter a hard to guess Username and select Save

Change default paths

Changing the names of the main MODX folders will make it harder for hackers to profile your site or gain access to it.

One method is to append a unique complicated string of chatacters to the end of each path. Or you could change the folder names completely.

mv assets assets38r7ld6u8uupq91tzl3sefw4
mv connectors connectorsd229ylgr1oll58tzgm04ya9g
mv core core709vg5tmcpvo4oyomre9rvmp
mv manager managerbts6x3q51z39avdb2m04685q

Update config files

Update config.inc.php with your new folder names.

$ nano core*/config/config.inc.php

Make sure you have updated all of the following variables:-

  • $modx_core_path
  • $modx_processors_path
  • $modx_connectors_path
  • $modx_connectors_url
  • $modx_manager_path
  • $modx_manager_url
  • $modx_assets_path
  • $modx_assets_url

Change database prefix

A unique database prefix will make SQL injection attacks much more difficult.

Dump database file

$ mysqldump -u database_user -p database_name > convert.sql

Update database file

Dowload convert.sql and open in a text editor.

The default database prefix is modx_. Choose your own unique database prefix. Then do a find & replace on `modx_ with your own prefix.

Save convert.sql and upload it.

Import database file

In cPanel, DROP the database, and create a new one with the same name. Make sure you add your database user to it too.

Import the modified convert.sql back into your database

$ mysql -u database_user -p database_name < convert.sql

Update config file

Update config.inc.php with the new database table prefix.

$ nano core*/config/config.inc.php

Make sure you have updated the following variable:-

  • $table_prefix

Run MODX setup

Now that your MODX has been hardened, you should run setup to make sure everything is working properly.

Download MODX

You will need to download the setup folder for your version of MODX.

Find the version of MODX you are using and download it directly onto your server. Make sure you replace the version below with your actual version.

$ wget https://modx.com/download/direct?id=modx-2.5.7-pl.zip --no-check-certificate --content-disposition

Unzip the file.

$ unzip modx-2.5.7-pl.zip

For ease of use, rename the extracted folder to something shorter, like modx.

$ mv modx-2.5.7-pl modx

Now copy the setup folder from the modx directory to your main directory. If rsync is new to you, take a look at this useful article and consider using the --dry-run option.

$ rsync -avP modx/setup/ setup/

Run setup

Depending on how your server is configured, you may need to set the permissions of the setup directory

$ chmod -R 755 setup

Visit the setup url - yourdomain.com/setup

Follow the instructions, making sure you select Upgrade Existing Install

Once complete, log-in to the Manager to check that everything is working as it should.

Clean-up

Once working, remove the following files/directories

  • modx-2.5.7-pl.zip
  • backup.tar.gz
  • database_name.sql
  • setup
  • modx

References