We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered Configuration Warning: Core folder is accessible by web

    • 19872
    • 1,078 Posts
    mmcgee Reply #1, 8 years, 6 months ago
    Just updated to 2.4.2 and the manager displays a message about a Configuration Warning: Core folder is accessible by web.

    Following the message's instruction, I renamed the ht.access in the core folder to .htaccess, but the message about configuration warning is still displaying in the manager.

    Navigating to core or directories within the core directory successfully returns a 404 page not found. All good there I guess. But how do I get the manager to update or remove this message?

    This question has been answered by multiple community members. See the first response.

    • discuss.answer
      • 22840
      • 1,572 Posts
      Paulp Reply #2, 8 years, 6 months ago
      Change the content of the .htaccess in that folder to

      IndexIgnore */*
<Files *>
Order Deny,Allow
Deny from all
</Files>
        • 19872
        • 1,078 Posts
        mmcgee Reply #3, 8 years, 6 months ago
        Good Morning Paul:

        I just found your previous post. Thanks for following up. Worked perfect!

        Thanks!
          • 19872
          • 1,078 Posts
          mmcgee Reply #4, 8 years, 5 months ago
          Hi Paul:
          I am performing this change on another MODx site, and the manager is still displaying the warning message about the core directory being accessbile.
          I used the Code Editor in cPanel to make the change to the htaccess file located in the core directory. Not sure whether this would have any affect, but I Cleared the site cache from within the manage, and also manually cleared the core cache using the cPanel File Manger.

          I'm stumped.


          Quote from: paulp at Oct 08, 2015, 01:04 PM
          Change the content of the .htaccess in that folder to

          IndexIgnore */*
<files *="">
Order Deny,Allow
Deny from all
</files>
            • 19872
            • 1,078 Posts
            mmcgee Reply #5, 8 years, 5 months ago
            Just tried that, and the warning is still on the manager dashboard. Of course – just noticed that the name of the htaccess was ht.access.
            I changed the name to .htaccess. Now I am unable to see the .htaccess file in cPanel.

            So I have a .htaccess file with your most recent suggestion input, but the warning is still visible in the manager dashboard.


            Quote from: paulp at Oct 08, 2015, 01:04 PM
            Change the content of the .htaccess in that folder to

            IndexIgnore */*
<files *="">
Order Deny,Allow
Deny from all
</files>
            • discuss.answer
              • 19872
              • 1,078 Posts
              mmcgee Reply #6, 8 years, 5 months ago
              OK. I found how to change the cPanel File Manager settings to allow me to see the hidden dot files.
              I changed the .htaccess content in the core directory to

              IndexIgnore */*
              <files *>
              Order Deny,Allow
              Deny from all
              </files>

              Now the warning is gone.
              If I navigate to the core directory, the home page of the site loads. Yes... I need to create my error pages smiley

              All seems to be working great now. Thanks for jumping in with feedback Paul. Have a terrific rest of the weekend.
                • 28120
                • 380 Posts
                sparky Reply #7, 8 years, 3 months ago
                The default ht.access shipped has the wrong code

                IndexIgnore */*
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>


                <Files *.php>
                • sottwell Reply #8, 8 years, 3 months ago
                  Actually the internal code should not check for access to all files, it should only check for access to .php files. There are text files that could be readable. I think the general idea was that the core is best outside of the web root for stronger security.
                    Studying MODX in the desert - http://sottwell.com
                    Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                    Join the Slack Community - http://modx.org
                    • 19872
                    • 1,078 Posts
                    mmcgee Reply #9, 8 years, 3 months ago
                    Have I created yet another problem by modifying my .htaccess?

                    I have some sites that I installed via Softaculous. Not quite sure how to back out of that and convert to an Advanced. Perhaps it's as simple as performing the steps for advanced, modifying paths etc. and then just knowing that I can no longer use Softaculous for super fast updates?

                      • 51020
                      • 670 Posts
                      Andy Jones Reply #10, 7 years, 6 months ago
                      I know this is an old post - but I have the same problem with V 2.5.1

                      But the contents of my .htaccess within the core folder is totally different to previous versions:

                      
# deny access to _all_ files in the core, including changelog.txt and error.log
# original borrowed from owncloud

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
    Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
    deny from all
    Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *


                      Any ideas?
                      Thanks
                      Andy