MODX Revolution, like all CMS's, could be exploited by unscrupulous individuals. Here are some adjustments to make your MODX install more robust and harder to hack.
Prepare current MODX
Clear the cache and sessions via Manager
On your source installation, log into Manager then do the following:-
- Manage → Clear Cache
- Manage → Logout All Users
Clear the cache via SSH
SSH into your source webserver. Change directory to your source MODX install.
Some cache files will still be there, we want to remove them all. Be careful of this command.
rm -rf core*/cache/*
Dump the database
We want to have a safe copy of our database.
Make sure you have the database name, user and password. These details can be found in core*/config/config.inc.php.
Now dump the database, making sure you replace database_user and database_name with your database name and user name.
mysqldump -u database_user -p database_name > database_name.sql
Backup existing set-up
Plan for the worst by backing-up your current install
Use tar to make a safe backup of your files, just in case!
tar -cvzf backup.tar.gz .
If for some reason you have files or folders that you want to exclude from the backup, you can use
tar -cvzf backup.tar.gz . --exclude='myfolder'
You can copy or move the archive file into another directory or download it using a ftp program.
Before we start, we need to make sure that your current MODX installation is backed-up.
Admin username & password
To prevent unwaned access, make sure you change the default Manager username and the password.
Log into Manager, then do the following:-
- From the toolbar select Manage → Users
- Right click your Admin user and select Update user
- Enter a hard to guess Username
- Tick the New Password checkbox and enter a complicated password
- Click Save
Change default paths
Changing the names of the main MODX folders will make it harder for hackers to profile your site or gain access to it.
One method is to append a unique complicated string of chatacters to the end of each path. Or you could change the folder names completely.
mv assets assets38r7ld6u8uupq91tzl3sefw4 mv connectors connectorsd229ylgr1oll58tzgm04ya9g mv core core709vg5tmcpvo4oyomre9rvmp mv manager managerbts6x3q51z39avdb2m04685q
Update config files
Update config.inc.php with your new folder names.
Make sure you have updated all of the following variables:-
Change database prefix
A unique database prefix will make SQL injection attacks much more difficult.
Dump database file.
mysqldump -u database_user -p database_name > convert.sql
Update database file.
Dowload convert.sql and open in a text editor.
The default database prefix is modx_. Choose your own unique database prefix. Then do a find replace on modx_ with your own prefix.
Save convert.sql and upload it.
Import database file
In cPanel, DROP the database, and create a new one with the same name. Make sure you add your database user to it too.
Import the modified convert.sql back into your database
mysql -u database_user -p database_name < convert.sql
Update config file
Update config.inc.php with the new database table prefix.
Make sure you have updated the
Protect core directory
Ideally you should place your core MODX directory inside a non public accessable folder. However, this can be tricky, especially when using a shared host.
Instead, you can prevent unwanted access of this folder by placing a .htaccess file inside the core directory.
Go to your core directory and create a new .htaccess file, if one doesn't already exist.
cd core* touch .htaccess
Set the correct permissions on it.
chmod 644 .htaccess
Open the .htaccess file in your favourite text editor and paste in the following contents.
# for Apache 2.4 <ifModule mod_authz_core.c> Require all denied </ifModule> # for Apache 2.2 <ifModule !mod_authz_core.c> deny from all Satisfy All </ifModule> # for Apache 2.2 and 2.4 IndexIgnore *
Run MODX setup
Now that your MODX has been hardened, you should run setup to make sure everything is working properly.
You will need to download the setup folder for your version of MODX. This will enable you to run the setup utility to iron out any issues with the transfer of your site.
Find the version of MODX you are using and download it directly onto your server. Make sure you replace the version below with your actual version.
wget https://modx.com/download/direct?id=modx-2.7.3-pl.zip --no-check-certificate --content-disposition
Unzip the file.
For ease of use, rename the extracted folder to something shorter, like modx.
mv modx-2.7.3-pl modx
Now copy the setup folder from the modx directory to your main directory. If rsync is new to you, take a look at this useful rsync guide and consider using the
rsync -avP modx/setup/ setup/
Depending on how your server is configured, you may need to set the permissions of the setup directory.
chmod -R 755 setup
Visit the setup url - yourdomain.com/setup
Follow the instructions, making sure you select Upgrade Existing Install
Once complete, log-in to the Manager to check that everything is working as it should.
Once working, remove the the unwanted files and directories that we created during this process.
rm modx-2.7.3-pl.zip rm backup.tar.gz rm database_name.sql rm -rf setup rm -rf modx
Inspired by Harden your MODX install.
Here are some of our other MODX articles.