If you’ve ever had your website hacked, you will know it is not a pleasant feeling. Sending a prospective customer to your website, only to have them riddled with porn is, let’s just say, not good for business.
What can you do? First off, I recommend using MODX as your CMS, but the virtues of MODX are too numerous to deal with in this post - you can read this, this and this. If you are lucky (smart) enough to have a MODX Revolution site, this post explains how you can make it more secure, including switching to the MODX Revolution Advanced Install.
- First off, read the Official Documentation on Hardening MODX Revolution: http://rtfm.modx.com/display/revolution20/Hardening+MODX+Revolution - I’m not kidding, I really, really think you should read that (and then come back ;)
- Official Documentation for MODX Advanced Install: http://rtfm.modx.com/display/revolution20/Advanced+Installation
Why the Advanced Installation?
If you read the Documentation above, you shouldn’t need any convincing, but let me summarize:
- Having your MODX core files exposed in your web root is like posting a map on your front door to where you keep the spare key. The engine that your precious website runs on is out there for all to see - naked and vulnerable.
- Think of how many thousands of MODX sites out there have the manager url: site.com/manager - do you think a malicious bot or two might be sniffing around the Internet for those? The answer is a resounding YES! Hide Your MODX Manager!
- Using the Advanced Installation, especially after you do it a few times, will give you greater insight into how your favorite CMS works, and you’ll quickly learn how easy it can be to administer your site when you’re a bit more familiar with its inner workings.
I can almost guarantee that by practicing the Advanced Installation, you’ll become faster and more proficient at troubleshooting problems and performing updates/upgrades - all good stuff, right?
How Do I Do It?
If you’re installing into a fresh hosting account, then just follow the Documentation - it’s actually really easy.
If you want to switch your Traditional install into an Advanced one? There’s a few different ways to do it, but the easiest is just to move/rename the important folders, modify your config file, run the setup program, and voila - you pretty much have all the security benefits of the Advanced Install. It’s the same as the “Changing Default Paths” section in the Documentation on Hardening. Here’s a quick run-down:
- Backup your site and database. Read my Disclaimer and don’t mess up your site by not backing it up!!
- Login to your hosting account cPanel. You could also do it via SFTP (don’t use FTP - it’s not secure), but only if your SFTP account allows access above the web root (the public_html folder).
- Duplicate your core folder, usually at: /home/username/public_html/core/ and move the copied folder to the hosting account’s root so that it’s new location is: /home/username/copy of core/
- Rename this copy back to /core/
- Find your config file inside this new core. It should be at: /home/username/core/config/config.inc.php
- Optionally rename the file to something like: mysite.inc.php - this allows you to have multiple installations of MODX using the same core.
- Next duplicate your /manager/ and /connectors/ folders in your web root, and rename them. Don’t move them - they need to stay in the web root. It’s recommended to use a random string of lowercase letters and numbers for the directory names. You can optionally make the Manager folder a little easier to remember, like /manager5tr1ng/. Random is best. I usually don’t rename the assets folder, cause it can mess up links on an existing site.
- Go back to your config.inc.php file (or whatever you named it) - I’m talking about the new one in /home/username/core/config/
- Edit the following lines, replacing them with the correct paths for your setup:
- $modx_core_path= ‘/home/username/core/’;
- $modx_processors_path= ‘/home/username/core/model/modx/processors/’;
- $modx_connectors_path= ‘/home/username/public_html/new_connector_name/’;
- $modx_manager_path= ‘/home/username/public_html/new_manager_name/’;
- Save the config file.
- Download a copy of the Advanced Installation Package from modx.com - make sure it’s the same version as your existing, Traditional install! For example, use 2.1.5-pl-advanced.zip to replace a 2.1.5-pl (traditional) install.
- Extract it on your local machine. Inside the extracted folder will be just two folders: /core/ and /setup/
- Upload the setup folder to your web root /public_html/
- This next step will temporarily disable your site - but you’re not worried cause you backed it up, right? Rename your old core folder in the web root. I recommending renaming it instead of deleting it right now, so you can easily restore it if need be.
- Run the setup program at: http://yoursite.com/setup/
- Now we’re kind of following the steps in the Advanced Install Documentation starting from “Your MODX_CORE_PATH is invalid” Enter the NEW core path: /home/username/core/
- If you changed your config file’s name, enter the first part of it in the Configuration Key window. For example, if your file is called mysite.inc.php, enter “mysite” - without the quotes - as your Configuration Key.
- Now because you did all the hard work of re-writing the paths in the config file, the setup program should go into Upgrade mode. If it doesn’t, you need to ensure that all the paths in the config file are correct, and you’ve entered the correct path and config key during the setup process. Retrace your steps, if need be. You don’t want MODX to perform a new install because that can overwrite your database!
- If it correctly detects your install, go ahead and run it in Upgrade mode. It should go smoothly from there :)
- Test that your site is working, and if it is, delete the old copies of the /core/, /connectors/ and /manager/ folders in your web root. Be careful to delete the OLD ones!!
It looks like a lot of steps, but I was trying to explain every little detail - it’s really not that hard. In the future, if you want to update, you can follow this tutorial. Please let me know in the comments if you have any problems with this tutorial, or if I forgot something. Hopefully I’ve convinced you to start using Advanced Installs - and reap the benefits too!