-
- 24,544 Posts
There is excellent advice here for hardening your site:
https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution#HardeningMODXRevolution-ChangingDefaultPaths.
It's particularly important to rename the connectors directory since it's the gateway to the MODX processors and much of the code in MODX extras. Any extra with a vulnerability may be accessed via the connectors directory.
Renaming the Manager directory will prevent brute-force attacks that attempt to guess your Manager credentials. Such attacks may not succeed, but they will slow down your site. A 404 for the Manager login page will make most brute-force hackers move on to another site rather than hammering away.
Department of Duh
When renaming your directories, don't try to do it on the Files tab of the Manager (don't ask me how I know this).
-
- 1,145 Posts
I must say that renaming the folders is quite incredibly insufficient and might, for some, security-conscious, people(like me these days), prove to be not an option at all.
IMHO, those docs need immediate attention/updating. Passwording all the way!
A proper brute-force will burst up all hidden folders.
Here are five nice ways to sniff/hack your own site.
http://www.hackingarticles.in/5-ways-directory-bruteforcing-web-server/
DirBuster being my fav.
https://www.owasp.org/index.php/Category:OWASP_Download
When renaming your directories, don't try to do it on the Files tab of the Manager (don't ask me how I know this).
I laughed so hard I had to ask you how you know this. By personal experience?
[ed. note: donshakespeare last edited this post 5 years, 9 months ago.]
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
-
- 24,544 Posts
My lips are sealed.
BTW, how does password protection affect widgets and snippets that need to read from and write to the password-protected directories (e.g., UpgradeMODX and Setup)?
-
- 463 Posts
There has been conflicting information but as I understand it now, changing directory names will not help - Don's research now shows this. The docs do need upgrading.