Hardening MODX Revolution

Hardening MODX Revolution

How to harden your MODX Revolution installation

Last updated:

linux modx


MODX Revolution, like all CMS's, could be exploited by unscrupulous individuals. Here are some adjustments to make your MODX install more robust and harder to hack.

Prepare current MODX

Clear the cache and sessions via Manager

On your source installation, log into Manager then do the following:-

  • Manage → Clear Cache
  • Manage → Logout All Users

Clear the cache via SSH

SSH into your source webserver. Change directory to your source MODX install.

Some cache files will still be there, we want to remove them all. Be careful of this command.

rm -rf core*/cache/*

Dump the database

We want to have a safe copy of our database.

Make sure you have the database name, user and password. These details can be found in core*/config/config.inc.php.

Now dump the database, making sure you replace database_user and database_name with your database name and user name.

mysqldump -u database_user -p database_name > database_name.sql

Backup existing set-up

Plan for the worst by backing-up your current install

Use tar to make a safe backup of your files, just in case!

tar -cvzf backup.tar.gz .

If for some reason you have files or folders that you want to exclude from the backup, you can use --exclude

tar -cvzf backup.tar.gz . --exclude='myfolder'

You can copy or move the archive file into another directory or download it using a ftp program.

Before we start, we need to make sure that your current MODX installation is backed-up.

Harden MODX

Admin username & password

To prevent unwaned access, make sure you change the default Manager username and the password.

Log into Manager, then do the following:-

  • From the toolbar select ManageUsers
  • Right click your Admin user and select Update user
  • Enter a hard to guess Username
  • Tick the New Password checkbox and enter a complicated password
  • Click Save

Change default paths

Changing the names of the main MODX folders will make it harder for hackers to profile your site or gain access to it.

One method is to append a unique complicated string of chatacters to the end of each path. Or you could change the folder names completely.

mv assets assets38r7ld6u8uupq91tzl3sefw4
mv connectors connectorsd229ylgr1oll58tzgm04ya9g
mv core core709vg5tmcpvo4oyomre9rvmp
mv manager managerbts6x3q51z39avdb2m04685q

Update config files

Update config.inc.php with your new folder names.

nano core*/config/config.inc.php

Make sure you have updated all of the following variables:-

  • $modx_core_path
  • $modx_processors_path
  • $modx_connectors_path
  • $modx_connectors_url
  • $modx_manager_path
  • $modx_manager_url
  • $modx_assets_path
  • $modx_assets_url

Change database prefix

A unique database prefix will make SQL injection attacks much more difficult.

Dump database file.

mysqldump -u database_user -p database_name > convert.sql

Update database file.

Dowload convert.sql and open in a text editor.

The default database prefix is modx_. Choose your own unique database prefix. Then do a find replace on modx_ with your own prefix.

Save convert.sql and upload it.

Import database file

In cPanel, DROP the database, and create a new one with the same name. Make sure you add your database user to it too.

Import the modified convert.sql back into your database

mysql -u database_user -p database_name < convert.sql

Update config file

Update config.inc.php with the new database table prefix.

nano core*/config/config.inc.php

Make sure you have updated the $table_prefix varaiable.

Protect core directory

Ideally you should place your core MODX directory inside a non public accessable folder. However, this can be tricky, especially when using a shared host.

Instead, you can prevent unwanted access of this folder by placing a .htaccess file inside the core directory.

Go to your core directory and create a new .htaccess file, if one doesn't already exist.

cd core*
touch .htaccess

Set the correct permissions on it.

chmod 644 .htaccess

Open the .htaccess file in your favourite text editor and paste in the following contents.

# for Apache 2.4
<ifModule mod_authz_core.c>
  Require all denied

# for Apache 2.2
<ifModule !mod_authz_core.c>
  deny from all
  Satisfy All

# for Apache 2.2 and 2.4
IndexIgnore *

Run MODX setup

Now that your MODX has been hardened, you should run setup to make sure everything is working properly.

Download MODX

You will need to download the setup folder for your version of MODX. This will enable you to run the setup utility to iron out any issues with the transfer of your site.

Find the version of MODX you are using and download it directly onto your server. Make sure you replace the version below with your actual version.

wget https://modx.com/download/direct?id=modx-2.7.3-pl.zip --no-check-certificate --content-disposition

Unzip the file.

unzip modx-2.7.3-pl.zip

For ease of use, rename the extracted folder to something shorter, like modx.

mv modx-2.7.3-pl modx

Now copy the setup folder from the modx directory to your main directory. If rsync is new to you, take a look at this useful rsync guide and consider using the --dry-run option.

rsync -avP modx/setup/ setup/

Run setup

Depending on how your server is configured, you may need to set the permissions of the setup directory.

chmod -R 755 setup

Visit the setup url - yourdomain.com/setup

Follow the instructions, making sure you select Upgrade Existing Install

Once complete, log-in to the Manager to check that everything is working as it should.


Once working, remove the the unwanted files and directories that we created during this process.

rm modx-2.7.3-pl.zip
rm backup.tar.gz
rm database_name.sql
rm -rf setup
rm -rf modx

Further information

Inspired by Harden your MODX install.

Here are some of our other MODX articles.