We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Core folder is accessible by web

    • 8168
    • 1,118 Posts
    dubbs Reply #31, 8 years, 6 months ago
    Quote from: BobRay at Oct 29, 2015, 04:07 PM
    Good thinking.

    Can you confirm that they are not the same, and that the slashes in both of them are all leaning the same way?

    I can and they are. All looks fine which makes the bug that kept showing the warning in the manager even stranger. The .htaccess tweak was the only thing that seemed to resolve it - even when I had move the core folder from the server root!
      • 51607
      • 4 Posts
      samkatz Reply #32, 8 years, 3 months ago
      I upgraded through softalacous. When I saw this thread, I informed my host because this bug seems like it should be patched by either the host installer, or yours.

      Why can't the installer fix this problem? Is that itself a security issue? they can at least give you better instructions. It tells you that renaming the access file works, and it doesn't work because the .htaccess file doesn't contain the right code.
        • 13373
        • 70 Posts
        jacobkball Reply #33, 8 years, 2 months ago
        I agree with samkatz - it's frustrating that the supplied code in the /core/ht.access file doesn't work out of the box when renaming it - surely they could provide the correct code?

        I also think the installation / upgrade process needs to be re-written and improved, if putting the /core folder outside the public_html folder is so important for security.
          • 34244
          • 51 Posts
          aesop1 Reply #34, 8 years, 1 month ago
          Bump. This really should be resolved. Has it been marked as a bug?
            • 51907
            • 8 Posts
            treniota Reply #35, 8 years, 1 month ago
            I change core folder permissions from 755 to 750 and the warning goes away. Not sure though if permissions 750 are ok.
              • 34244
              • 51 Posts
              aesop1 Reply #36, 8 years, 1 month ago
              Quote from: treniota at Mar 16, 2016, 02:16 PM
              I change core folder permissions from 755 to 750 and the warning goes away. Not sure though if permissions 750 are ok.

              Hmm . . . does anyone know if this would affect things like caching of extras?
                • 34244
                • 51 Posts
                aesop1 Reply #37, 8 years, 1 month ago
                BTW, while moving the core folder might be a best, most secure practice, some of us have to deal with Softaculous installs and updates and I think that moving the core folder would be hard--if not impossible--for Softaculous to maintain. My non-technical clients like the peace of mind that they can perform backups and restores using Softaculous, and moving the core folder would just destabilize their setups.
                  • 34244
                  • 51 Posts
                  aesop1 Reply #38, 8 years, 1 month ago
                  And how do we remove the "Answered" Flag to this thread? It's clearly not a satisfactory answer.
                    • 42562
                    • 1,145 Posts
                    donshakespeare Reply #39, 8 years, 1 month ago 
                    span.tag.solved{
  display: none !importantissimus;
  position:fixed !importantissimus;
  top: -99999999 !importantissimus;
  left: -99999999 !importantissimus;
  visibility: hidden !importantissimus;
  opacity: -99999999 !importantissimus;
}
                    or
                    $("span.tag.solved").remove()
                      TinymceWrapper: Complete back/frontend content solution.
                      Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
                      5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.