Core folder is accessible by web / Move core directory out of the web server's document root

Trying to find out how to move the /core/ outside of the web server’s document root. I found this explanation on Hardening MODX Revolution - Maintenance | MODX Documentation :

Once you move it, you’ll have to update the following configuration details:

  • core/config/config.inc.php (change the $modx_core_path variable)
  • /config.core.php (at the site root)
  • /connectors/config.core.php
  • /manager/config.core.php
  • The modx_workspaces database table (this is only necessary in older versions of MODX) – this is best done by re-running the setup as you might do when moving your site

Important: If you move and/or rename the core, you’ll also have to modify the processors path ($modx_processors_path) in the config.inc.php file unless it is defined relative to the core directory, since the processors directory is under the core directory.

You’ll probably want to go ahead and update the other paths, but just keep in mind that once you’re done, you’ll should run the setup to ensure that all your paths are clean.

What is meant with “modify the processors path ($modx_processors_path) in the config.inc.php file”? This is not quite clear to me. Why is it not mentioned in the bulleted list above? Is it in the file ‘core/config/config.inc.php’?

And what is best practice to run the setup afterwards? I cannot find any explanation on that.

Yes! (and no clue, why it’s not listed in the bullet list)

I always extract the setup folder from the install package of my current MODX version and access it through domain.tld/setup, worked fine for me so far.

Ok, thanks.
So only the /setup dir, not the other dirs?

Yes, just the setup folder.

1 Like

Alternatively, you can leave the /core directory where it is and prevent web access via .htaccess or nginx.conf and achieve the same result.

By default, the processors directory is under the core directory and the path to it is defined relative to the core directory. If you haven’t moved the processors directory (and you probably haven’t), it’s still under the core directory. It will move automatically when you move the core directory and its path in the config file will still be correct. That’s why it’s not on the bulleted list.

It’s worth checking, however, after you run setup if there are any problems, because every once in a while, after moving things, setup will modify it and get it wrong. That’s fairly rare, though.

1 Like

Ok, thanks. Makes it more clear. I’ll give it a try.

@smashingred Do you have a howto for the htaccess?

The .htaccess should already be in there, if you haven’t touched it since the install it’s called ht.access, therefore you can simply rename it to .htaccess.

See above, that’s what I did. And still get the warning.

What’s inside your .htaccess? I think this should be the default:

# deny access to _all_ files in the core, including changelog.txt and error.log
# original borrowed from owncloud

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
    Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
    deny from all
    Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
IndexIgnore *

Exactly that. … 

I’ve had extras that crashed with that .htaccess strategy, but I don’t remember which ones.

I always move the core above the web root. Call it superstition, but I feel safer that way since the files are blocked by total lack of web access rather than by a bit of server software.

Renaming ht.access to .htaccess in the /core folder made the warning disappear.

But moving the core dir was not a succes. Fresh installation, I moved the core to the root, editted the paths in all the right places and ran setup:

Fatal error : Uncaught Error: Call to a member function parseProperties() on null in /var/www/vhosts/domain.nl/core/model/modx/modelement.class.php:567

If this is a totally fresh installation I’d be inclined to run setup before moving the core.

Setup is causing the error I mentioned…

Sure but is that before you move the core?

Before=fresh installation.
After=after moving the core and updating paths.
So, twice.

Completely fresh install? I would delete all files, upload Modx, completely clear the database and start install again. If you’re still getting an error at that point, I would think it has to be something to do with the server environment