Overview
MODX Revolution, like all CMS's, could be exploited by unscrupulous individuals. Here are some adjustments to make your MODX install more robust and harder to hack.
Prepare current MODX
Clear the cache and sessions via Manager
On your source installation, log into Manager then do the following:-
- Manage → Clear Cache
- Manage → Logout All Users
Clear the cache via SSH
SSH into your source webserver. Change directory to your source MODX install.
Some cache files will still be there, we want to remove them all. Be careful of this command.
rm -rf core*/cache/*Dump the database
We want to have a safe copy of our database.
Make sure you have the database name, user and password. These details can be found in core*/config/config.inc.php.
Now dump the database, making sure you replace database_user and database_name with your database name and user name.
mysqldump -u database_user -p database_name > database_name.sqlBackup existing set-up
Plan for the worst by backing-up your current install
Use tar to make a safe backup of your files, just in case!
tar -cvzf backup.tar.gz .If for some reason you have files or folders that you want to exclude from the backup, you can use --exclude
tar -cvzf backup.tar.gz . --exclude='myfolder'You can copy or move the archive file into another directory or download it using a ftp program.
Before we start, we need to make sure that your current MODX installation is backed-up.
Harden MODX
Admin username & password
To prevent unwaned access, make sure you change the default Manager username and the password.
Log into Manager, then do the following:-
- From the toolbar select Manage → Users
- Right click your Admin user and select Update user
- Enter a hard to guess Username
- Tick the New Password checkbox and enter a complicated password
- Click Save
Change default paths
Changing the names of the main MODX folders will make it harder for hackers to profile your site or gain access to it.
One method is to append a unique complicated string of chatacters to the end of each path. Or you could change the folder names completely.
mv assets assets38r7ld6u8uupq91tzl3sefw4
mv connectors connectorsd229ylgr1oll58tzgm04ya9g
mv core core709vg5tmcpvo4oyomre9rvmp
mv manager managerbts6x3q51z39avdb2m04685qUpdate config files
Update config.inc.php with your new folder names.
nano core*/config/config.inc.phpMake sure you have updated all of the following variables:-
$modx_core_path$modx_processors_path$modx_connectors_path$modx_connectors_url$modx_manager_path$modx_manager_url$modx_assets_path$modx_assets_url
Change database prefix
A unique database prefix will make SQL injection attacks much more difficult.
Dump database file.
mysqldump -u database_user -p database_name > convert.sqlUpdate database file.
Dowload convert.sql and open in a text editor.
The default database prefix is modx_. Choose your own unique database prefix. Then do a find replace on modx_ with your own prefix.
Save convert.sql and upload it.
Import database file
In cPanel, DROP the database, and create a new one with the same name. Make sure you add your database user to it too.
Import the modified convert.sql back into your database
mysql -u database_user -p database_name < convert.sqlUpdate config file
Update config.inc.php with the new database table prefix.
nano core*/config/config.inc.phpMake sure you have updated the $table_prefix varaiable.
Protect core directory
Ideally you should place your core MODX directory inside a non public accessable folder. However, this can be tricky, especially when using a shared host.
Instead, you can prevent unwanted access of this folder by placing a .htaccess file inside the core directory.
Go to your core directory and create a new .htaccess file, if one doesn't already exist.
cd core*
touch .htaccessSet the correct permissions on it.
chmod 644 .htaccessOpen the .htaccess file in your favourite text editor and paste in the following contents.
# for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>
# for Apache 2.2 and 2.4
IndexIgnore *Run MODX setup
Now that your MODX has been hardened, you should run setup to make sure everything is working properly.
Download MODX
You will need to download the setup folder for your version of MODX. This will enable you to run the setup utility to iron out any issues with the transfer of your site.
Find the version of MODX you are using and download it directly onto your server. Make sure you replace the version below with your actual version.
wget https://modx.com/download/direct?id=modx-2.7.3-pl.zip --no-check-certificate --content-dispositionUnzip the file.
unzip modx-2.7.3-pl.zipFor ease of use, rename the extracted folder to something shorter, like modx.
mv modx-2.7.3-pl modxNow copy the setup folder from the modx directory to your main directory. If rsync is new to you, take a look at this useful rsync guide and consider using the --dry-run option.
rsync -avP modx/setup/ setup/Run setup
Depending on how your server is configured, you may need to set the permissions of the setup directory.
chmod -R 755 setupVisit the setup url - yourdomain.com/setup
Follow the instructions, making sure you select Upgrade Existing Install
Once complete, log-in to the Manager to check that everything is working as it should.
Clean-up
Once working, remove the the unwanted files and directories that we created during this process.
rm modx-2.7.3-pl.zip
rm backup.tar.gz
rm database_name.sql
rm -rf setup
rm -rf modxFurther information
Inspired by Harden your MODX install.
Here are some of our other MODX articles.