Answered ModX not working after fresh installation, multiple progressing issues.

DONE IT! FINALLY! And with XAMPP successfully finished installation and successfully logged in to manager.

Now, the problem was in that when I was creating privilleges for accessing a DB I selected SSL as a secure way of connection. I know on the real web server this service needs to be ordered and provided by server admins. I thought this virtual SSL emulator is present in XAMPP.
Bob, can you tell me more about this? Should this normally be SSL or None for MODx and does it make a big difference for a DB connection on the real web server, since I am looking for the most secure option?
p.s. I think this warning should be included in the installation setup page whenever an error is raised.

I'm glad you got it sorted.

I have not tried SSL in XAMPP, but it looks like it does have the capability. I suspect that most of the work is done by the browser talking directly to Apache. You'd have to have a cert file in the right place and specify that location in your Apache config file.

xampp/apache/config/config.httpd has a line that loads the SSl module, and it "includes" conf/extra/httpd-ssl.conf which I think contains the lines that specify the location of the cert file. I'm not sure, but I think you can also specify the file in a php.ini in the MODX directory. E.g.,



If you use https for the login page, you might have to access all manager pages with https -- otherwise, the session would be lost when you switched to http and your permission to perform Manager actions would go away.

I do recommend making your live site https. I don't think it makes it significantly more secure, since it mainly just certifies that the connection is to your site rather than another one, but both Firefox and Chrome are pushing hard for full SSL by issuing dire warnings on non-SSL pages that ask the user for certain kinds of information (e.g. a contact page). SSL no longer slows down sites and I've read that it often speeds them up. At my host (see my sig), you can enable LetsEncrypt (free) in cPanel. After doing that, I just added a rewrite rule in .htaccess to rewrite http to https -- much easier than trying to use SSL on specific pages.

TBH, rather than messing with SSL locally, I've left it off my localhost sites. Since most of the MODX data is in the database, it's not easy to push content from the staging site to the live site. There are various ways to do it, but I've found that it's fairly easy, and much less error-prone, to just cut-and-paste the content.

Hi Bob, thank you for your help and all the info. I am really a newbie to all those SSL things and other techniques for securing the site. I need to read much more on this topic.
Since I am planing a project where security is the most important aspect.
There are some ideas in my head like allowing Manager page to be available only from a particular IP address (probably through .htaccess file). But is there an available option or setting in MODx to have a custom shortcut to Manager. For instance, when you type yourdomain.com/manager it returns "404 error page not found" but entering some custom address to a sub-directory and/or php file like yourdomain.com/hidden/access.php would redirect or load the login page of Manager and would be accessible from an allowed IP addresses only? Even if an intruder finds out that a website is run with MODx, he/she wouldn't be able to guess or recognize the address to the hidden Manager's login page.

I'm sure you can cut off access by IP address (though I've never done it). I would do it in a plugin attached to OnManagerPagePrerender with something like the (replace 000 with the allowed IP).



It might or might not work, depending on your server configuration. Also, many users (like me) will be using a host that assigns different IPs at different times. In that case, you may be able to at least filter on part of the IP address, but it will be less secure.

if (strpos($_SERVER['REMOTE_ADDR'], '252.76') === false) {
die('Unauthorized');
}

Be careful entering the code, since a typo will kill the Manager and you've have to fix things in the modx_site_plugins table in PhpMyAdmin.

With respect to the Manager, you can put the manager folder anywhere under the web root (usually public_html). It's actually recommended that you rename it and specify the new name, location, and URL, in the config.inc.php file, which should also have the first part renamed and should be move above the web root. Your core directory shouldn't be called 'core' and the first part of the config.inc.php file can be changed, but since it will be above the web root and so not accessibly by browser, that's less critical.

There are four files that need editing for this process (no work required in the Manager itself):

config.inc.php (or yourconfigkey.inc.php)

and the config.core.php files in the MODX root, manager, and connectors directories.

See this for more details: https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution

Also, the Manager's username should be changed to something exotic -- definitely not 'admin' and preferably not a word that would appear in the dictionary -- something like FrinkMuxful.

Thanks for some good info.
During a MODx updating process, what would be replaced(updated) when all these mentioned files and directories were renamed? Would I need to rename them again?

I have noticed that some sub-directories have ht.access I assume these are templates for .htaccess?
Which pages should have it? Do I need to rename them all to .htaccess?

If you use the UpgradeMODX widget to upgrade the site, those should all remain as you set them with no trouble. Renaming the Connectors directory might be an exception, I can't remember for sure. If it is an exception, you'd just have to copy the new MODX files from the /connectors directory to *your* connectors directory.

If you don't use UpgradeMODX, you'll have to type in the path to the core during setup, but otherwise it should leave your changes intact. I haven't actually tried this, so it's possible that you would also have to copy the new MODX files to the correct locations, but I don't think so.

Thank you Bob for so much useful information.
I don't know if you are one of MODx core developers but are there any plans for the future to add these security options to MODx settings. I would imagine extra security for typing a list of IP addresses for the Manager section as well as for all users with admin privileges; text fields for renaming directories so cms itself would rename directories and would update configuration php files. I am sure all the MODx users would benefit from this and it shouldn't be a super challenging code to write.

I've contributed to the core, but would not call myself a core developer.

That said, there is work going on to add those kinds of configuration options to the setup process, though it may be a while before they show up in a release.