Hardening/Security

I have just successfully moved my site into working order, by moving things up a directory.

Now, I have been looking into security, and hardening MODx. Great article here: http://rtfm.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution

I have a couple of questions:
If I follow those suggestions (putting /core and /manager) up a level -
do I need to move config.core.php up a level as well?
and how will I access to the manager?

No. The config.core.php files (there are 3 of them) are used to locate the actual MODX_CORE_PATH location and you will need to modify those files in all locations to point at the proper core. FWIW, installing using the advanced package of MODX Revolution can handle this for you automatically.

The Manager has to be available via URL, so you can't move it above the web root. Just renaming it and changing the references to it in config.inc.php does help harden the site, though.

@OpenGeek: Is there a reasonably simple way of moving from the traditional package to the advanced one?

Quote from: opengeek at Jan 14, 2014, 02:17 PM

No. The config.core.php files (there are 3 of them) are used to locate the actual MODX_CORE_PATH location and you will need to modify those files in all locations to point at the proper core. FWIW, installing using the advanced package of MODX Revolution can handle this for you automatically.

Hmm.
Bob has an interesting point. Is there a reasonably simple way to install advanced over traditional

My site was hacked recently but thankfully I had it backed-up. I'm trying to follow the Hardening MODX Revolution article but I'm having difficulties. I'm trying the Manager section first. I changed it from ../website_name/manager/ to ../website_name/m@n@g3r in core/config/config.inc.php but no joy. It just shows the website homepage and not the manager page. Am I doing something wrong?

I also tried the core but no joy there either.

You can't use @ in a URL. Technically, you can use $-_.+!*'(), but I wouldn't recommend it.

Also, you probably don't want to post your Manager URL in a public forum.

Clear the core/cache I suspect, are you allowed to use those funky characters in the folder name?

The config.inc.php for Revo is in core/config/config.inc.php.

There are three config.core.php files, one in the site root, one in the connectors directory and one in the manager directory. All they do is point to where the core directory is, so you can move the core or change its name. The config.inc.php for Revo is in core/config/config.inc.php.

Edit haha you can't use those funky characters lol

I changed the manager folder name to a random word and changed the manager section in core/config/config.inc.php to match that random name and now I get an error 'Could not find action file at: controllers/default/security/login.php'

When I went to that folder, there isn't a login.php file. It's a login.class.php file

**EDIT: Sorted....I cleared the cache**