Defending the MODX Revolution

Hello friends!

A lot of articles have been written and rewritten on how to protect MODX, but in this article I will describe not only the standard recommendations for the protection of the MODX Revolution instance (I’m going to write just MODX, because the MODX Evolution branch is a dead end of "evolution" worthy of attention of modern developers), but also some new methods of "tracing".



So let's start the most important.



There are two varieties of the MODX installer - Traditional and Advanced.

What is the difference between them?

')

Traditional is a simple installation option for any hosting that complies with the recommendations for installing MODX , where the kernel is installed directly into the root of the site’s public folder. The uncomplicated “cytoklops” put the version of Tradtiional, do not close the directories from viewing and as a result, all the contents of the site, incl. service directories, falls into the index of search engines . We are not going to fantasize about what this might lead to. Everything is clear here.



Advanced - version for guys who, at least, "watched a movie about nidzay." This type of installer allows you to place the MODX kernel outside a public folder, hiding it from the intruders ’attacks. For serious projects this is the recommended option, but personally I always use it.

Core security

There are two ways to protect the core:



1. On a normal hosting - remove the kernel from the public folder and you can not rename it and do not configure the .htaccess file in this directory (on the VDS, you should not forget about setting the permissions of the user who runs Apache).



2. On a stupid hosting - rename the kernel directory using, for example, a password generator (without special characters, of course - only letters and numbers) And during the installation, specify the physical path to the kernel directory. That is why it is better to use the Advanced installer.

Protection of service directories

It’s no secret that in addition to the kernel directory, other service directories should remain in the public folder of the server.



What should we do to protect against hacking attempts through connectors and attempts to penetrate the admin panel? The standard name of the connectors directory is / connectors, and for the admin it is / manager, and this is pale.



During installation, you will be prompted to change these names. This will help us, correctly, - the password generator and, oddly enough, in the case of the admin own head. The name of the admin directory is better made human-readable, but not / admin, of course :)



You might want to ask: Why don't we hide / assets?

And, perhaps, I will answer: Why? All pictures and scripts are in / assets, and in the page code there are all links to pictures and scripts :)

Database table protection

During installation, in the database settings, the default is the modx_ table prefix. So it will not work . And again, the password generator will help us (Remember, comrade? Only from letters and numbers!). Change the standard prefix to cracks, at the end of which we put the underscore. For example, “IU1xbp4_”.

Protection against CMS detection

Services of automatic detection of CMS sites, of course, do not know that MODX is CMF, but this does not prevent them from determining that it is MODX that manages the content on the site. It would seem that we have already hidden everything we need. And no.



First of all, when installing MODX Revolution, you must disable the checkbox "X-Powered-By", which is enabled by default (in the picture below) . This is necessary to ensure that MODX does not “burn” by sending in the headers information that the site is made on MODX.







If the site is already installed, you can check this parameter in the system settings at the address: domain_of yoursite / manager /? A = system / settings

And in the “Search by key” field enter “send_poweredby_header” or simply “header” and press Enter on the keyboard. The value "send_poweredby_header" should be set to "No".







It is also useful to hide configuration files.

For example, let's take the first link from the Google search list above , and try to open the settings file config.core.php, or, despite the fact that the directory listing is already closed on this site, follow the link “ www.vvhotel.ru/core /config/config.inc.php ”, the site gives the result of the execution of the .php file, which means that each of these files exists and even the first of them suggests that the site is on MODX.



You can hide this file with .htaccess by adding:

<IfModule mod_rewrite.c> RewriteCond %{REQUEST_URI} ^(.*)config.core.php$ RewriteRule ^(.*)$ [R=404] </IfModule> 

Something else

In addition to the techniques described above, you can use a little trick to divert potential intruders on the wrong track. Some “pop” CMS added metatags with the name CMS:

 <meta name="generator" content="WordPress xxx" /> 

You can safely add such a tag to your code, and create a fake standard login page to the admin panel of the specified version of the simulated CMS.



Autodeterminers will interpret our MODX as Wordpress, and if the hooligans want to get into the admin panel, they will be long and tedious to try to pick the master keys from a simple lock to the scanner of the retina (this is a metaphor :)).

And what if the site is already installed?

In the hour of the smallest load, rename all the specified directories (/ core, if hosting allows, it is better to take out of the public).



Change the prefix of existing ones using phpMyAdmin :

• in the left part of phpMyAdmin click on the name of the desired database;
• a list of all tables will appear in the main area, at the bottom of which the “Mark all” checkbox should be checked;
• To the right of the checkbox the combo box “With marked:” in which you must select “Replace table prefix”;
• In the new window, specify the old prefix and the new prefix, to which the old one should be replaced.

Then, if you have Traditional, but you want to replace it with Advanced, then on top of the contents of / core (or, as you call it new name), you must write the contents of the / core directory from the Advanced installer’s archive, and place / setup in the root of the site.



Check permissions and access (on directories 755, on files 644).



Start the installation process.



During installation, you will need to specify the physical path to the kernel directory.



It is IMPORTANT to choose the “Advanced update (with database settings)” installation option, because after entering the database data, the directory rename dialog will appear.



You could, of course, get into config.inc.php and edit everything there. But why do something if you can not do it? :)



That's all. If the information from this article is useful to you - great. If you want to ask something, add or simply pamper yourself - welcome to the blog!