Security in MODX by Pierrick Le Cunff

Does your CMS let you sleep at night?

The days of security through obscurity, or being “too small” to attract attention, are over. Automated tools let malicious individuals seek out and exploit insecure websites. Anyone, no matter how large or small the site owner, is a target. Hacked sites are frequently used to send spam selling “little blue pills”, inserting hidden links to other sites in an effort to boost search results, or even to mine bitcoins. If you’re especially unfortunate, malicious script kiddies and hackers will compromise your site to steal personal data, or much worse.

MODX Revolution was architected from day one with security in mind. All database operations using Revo’s public APIs use xPDO. This is an intermediate database layer, based on the PHP PDO project (recently adopted by Drupal), that ensures code is properly sanitized before being saved to the database. This aims to prevent SQL injection attacks common in many web platforms today.

The following number of vulnerability reports had been recorded at the US Government’s, National Institute of Standards and Technology, National Vulnerability Database:

CMS Reported Vulnerabilities Most Recent as of April 16, 2018
MODX Revolution 29 November 17, 2017
WordPress 1,580 (54×) Today
Drupal 1,035 (36×) April 10, 2018
Joomla 980 (34×) April 12, 2018

Keep up with updates

A word to the wise, as a website owner, you have an ongoing responsibility to keep up with updates—for both your application that powers your website, and any other Extras, Add-ons, Plugins or Modules you use. When new releases of the platform that powers your website come out, you should, in almost all circumstances, install them to keep your site safe. It’s not a guarantee against compromise, but it is a key part of keeping your site as safe as possible.

Some additional basic guidelines to follow as a part of your overall security strategy:

  • Keep up with updates—as stated above, this is critical as developers often patch known vulnerabilities with each release.
  • Keep your hosting environment/OS up to date—you have to keep your whole stack upgraded, from PHP to your database to your web server and even the underlying Operating System and system level components like OpenSSL.
  • Keep your server clutter-free—remove old files and scripts you’re no longer using on your server to reduce possible attack vectors.
  • Employ a WAF—a Web Application Firewall can help block attacks before they ever reach your website.
  • Serve your site via SSL—encrypted SSL traffic prevents “Man in the Middle” attacks.

Keeping updated is easy in MODX Cloud

One of the reasons we created MODX Cloud was to make maintaining a site—the right way—much easier. MODX Cloud’s server software stack is monitored and updated as patches are released to help keep malicious people at bay. MODX Cloud also makes it easy to add SSL certificates, backup your sites on demand, and in general does the things you would expect from a properly secured and managed platform.

While the allure of auto-updaters is understandable, that automation can cause more problems for customized websites. In MODX Cloud, you can quickly clone a site to a test instance (for free), review the upgraded website out of the public view, then apply the upgrade to your live site after verifying everything works. All by just clicking a few buttons in an intuitive online hosting Dashboard.

Benefits for Organizations

  • MODX Revolution is a proven platform with more than a decade of track record
  • Architected for security—Two Factor Authentication (2FA) Extras to enhance it
  • Granular control over creating, accessing or publishing content

For End Users & Site Builders

  • Peace of mind from a strong security track record
  • Quality Extras that use public APIs are of high quality and safe