We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered I was advised to upgrade to Revolution because of Evolution security

    • 3177
    • 137 Posts
    bertcatsburg Reply #1, 9 years, 1 month ago
    I have a couple of website in Evolution and am a huge fan of Evolution. This week I talked to a MODX-specialized company about Evolution and they advised me to upgrade to Revolution because Evolution security is an issue. (And let them do the upgrade smiley )
    But I was under the impression that although developments on Evolution are slower, the security is kept up to date.

    Is it true that I can better upgrade the site to Revolution because Evolution security is bad?



    This question has been answered by multiple community members. See the first response.

      • 36416
      • 589 Posts
      Eoler Reply #2, 9 years, 1 month ago
      Quote from: bertcatsburg at Mar 24, 2015, 09:35 PM
      Is it true that I can better upgrade the site to Revolution because Evolution security is bad?

      Not true - 1.0.15 is quite secure (for now).
      • discuss.answer
        • 13226
        • 953 Posts
        iusemodx Reply #3, 9 years, 1 month ago
        My opinion:

        Any Open Source project / product is in most cases as safe as it can be until someone finds a way to break into it.

        That's the negative side of Open Source, because the code is open to everyone, but at the same time there can be thousands of developers looking at the code finding loopholes and fixing them.

        To my knowledge the majority of Evolution users who have been hacked over the last couple of years have been hacked due to 3rd party plugins / snippets and not primarily via the core. Or they have been hacked due to shared servers, where a different site using other software such as WordPress was breached, opening full access to the server and with that all of the sites on the server.

        Rule of thumb that I have used for at least 6 years

        • delete all snippets and modules that you don't use from your server and database
        • chmod all folders and files appropriately - 755 is not the "be all" "end all" solution (I use 400, 505, 600, 644 + 755)

        If you are using the latest version of Evo, you can improve security by renaming the manager folder to some obscure name or something with mixed characters.
          Download the latest Evo release
          Report an issue about Evo
          Read the Evo documentation
        • discuss.answer
          • 3749
          • 24,544 Posts
          BobRay Reply #4, 9 years, 1 month ago
          I don't know of any security issues with Evolution. That said, In Evolution, you can now rename the Manager, but Revolution also gives you the option of moving all of the MODX core code above the web root where it can't be reached by a browser. This includes much of the code for any extras you have installed. Many of the security vulnerabilities of MODX have been in extras, and moving them where a browser can't reach them would have prevented most of the breaches. Maybe that's what the company is referring to.

            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
            • 3177
            • 137 Posts
            bertcatsburg Reply #5, 9 years, 1 month ago
            Thanks for the answers.
            Already I have a Basic Authentication on the manager folder. But here I learn that I can also rename that one. Will certainly do.

            Conclusion I have is that there is no security reason to go to Revolution.
              • 3749
              • 24,544 Posts
              BobRay Reply #6, 9 years, 1 month ago
              Maybe I wasn't clear. I would argue that Revolution is significantly more secure because if you put the core directory above the web root, the cache, all MODX core code, and the PHP code of virtually all add-on components will not be reachable by browser. This isn't possible with Evolution.
                Did I help you? Buy me a beer
                Get my Book: MODX:The Official Guide
                MODX info for everyone: http://bobsguides.com/modx.html
                My MODX Extras
                Bob's Guides is now hosted at A2 MODX Hosting
                • 13226
                • 953 Posts
                iusemodx Reply #7, 9 years, 1 month ago
                @ Bobray

                Please correct me if I am wrong:

                So far as I am aware you must have a (non managed) dedicated server to be able to make full use of this feature - moving everything outside of the root.

                On a shared server you only have access to the root, so the benefit is restricted to those who have a dedicated server or not ?
                  Download the latest Evo release
                  Report an issue about Evo
                  Read the Evo documentation
                • sottwell Reply #8, 9 years, 1 month ago
                  Most shared accounts have a "home" directory where you can, indeed, put the core, or any other files you wish. For example, on a standard CPanel account with SkyToaster, the structure looks like this:

                  /
                  --etc
                  --logs
                  --mail
                  --public_ftp
                  --public_html
                  --ssl
                  --tmp
                  --www

                  So you can have the core up in this level above the public_html/www directory. (www is actually only a link to public_html).
                    Studying MODX in the desert - http://sottwell.com
                    Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                    Join the Slack Community - http://modx.org
                    • 36816
                    • 109 Posts
                    clareoconsulting Reply #9, 9 years, 1 month ago
                    Quote from: sottwell at Mar 26, 2015, 06:12 PM
                    Most shared accounts have a "home" directory where you can, indeed, put the core...

                    I'll second Susan's note. On a cPanel host I use frequently (Bluehost) the same is also true. FYI: Both SkyToaster and Bluehost are on Bob's MODX-Friendly Hosts list - http://bobsguides.com/modx-friendly-hosts.html

                    If I have a host that'll support it, I always move MODX Revo core outside of public_html; it works just fine. Here's a sample of the directory structure I setup on a Bluehost account - it's very much like what Susan reported, with the addition of the /application directory structure, which I create myself, then in the case of MODX, drop the core in there and identify its location when prompted at setup:

                    /
                    --application
                    ----modx
                    ------core
                    ----example-application-1
                    ------controllers
                    ------models
                    ------views
                    ----example-application-2
                    --etc
                    --logs
                    --mail
                    --public_ftp
                    --public_html
                    --ssl
                    --tmp
                    --www
                      • 13226
                      • 953 Posts
                      iusemodx Reply #10, 9 years, 1 month ago
                      Susan & clareoconsulting thanks for the feedback.

                      I have to date not experienced shared hosting in the same configuration as you have both posted - that's why I asked.

                      I presume not every shared host accounts have cPanel hosting, as mine doesn't and a lot of my clients don't have it either.

                      I also use fully managed and self managed dedicated servers, but that's beside the point.

                      But it is good to know if your host does provide the access then great stuff.

                      Just out of interest (again) - the list of Hosts you refer to all point to America - no Eurpoean hosts (or at least the servers in europe)

                      Maybe its an American thing with cPanel, am I wrong in my line of thought ?
                        Download the latest Evo release
                        Report an issue about Evo
                        Read the Evo documentation