Don't understand verbiage on 3.0.0-beta1 (rel. 9-Nov-2021) release announcement

I’m confused over whether I can install 3.0.0-beta 1 or not, maybe I am being dumb . I have moved my core so I usually do an advanced install.

The announcement text is: * To install this software, extract the files to your server and follow the basic installation guide. Unless you need to customize an install, e.g., changing the Manager location or name, download the Standard version.

The second sentence says to me “except when you have moved something use the Standard version”. First off I don’t understand which is the “Standard” version.
The download on that page is described as a “Traditional Installation Package” so I guess I can’t use that for an “Advanced” install.

So my question is: can I install beta when I have moved core?
And another question: does Bob Ray’s excellent UpgradeMODX script work for version 3?
My current MODX version: 2.8.3

MODX3 no longer supports a moved core, so you will need to move that back to its original location in /core/ (and update config files accordingly) before upgrading to 3. To lock it down, use a .htaccess rewrite rule (the example ht.access shows one way to accomplish this).

Advanced vs Traditional/Standard primarily changes what options are available in the setup for moving folders. MODX3 still does support custom assets/manager/connector paths, so if you want to or have done that you’ll need to use the advanced package.

Markh: thanks for the reply.
I looked at the ht.access in the beta download but don’t understand which part stops site visitors from getting to PHP files, any chance you could point it out?

I’m guessing that the rule that passes everything through index.php does it, somewhere in modx->handleRequest()?

It’s very important to me, I have a lot of sensitive PHP files.

It is that one under /core/

revolution/ht.access at 3.x · modxcms/revolution (

Thanks Bruno, got it.

What was the thinking on no longer allowing people to move the core above the web root?

1 Like

MODX3 Core Folder Name cannot be renamed · Issue #15476 · modxcms/revolution (

There is a document at that points out that the core cannot be moved in 3.x.

It took me a while to find it by searching through markh’s commits. It would be nice if a link to that document were put on the beta release page at and subsequent release pages.

1 Like

Can anyone confirm that with 3.x it will still be possible to store static resources (for snippets) and load classes that are outside of the web root (public_html)?

A snippet’s ‘Static File’ field can contain an absolute path. I have always previously moved core and stored the snippet PHP code in core/components/{module} but I could move them to somewhere else above the web root if core is not there.

I also keep PHP classes in core/components/{module} and load them with modx->loadClass() for each page request, I’m hoping that will still work if I move them to another location above the web root.

You cannot currently move the core in 3.x due to limitations in the way Composer works, but that doesn’t prevent you from putting paths not related to core wherever you want. That said, putting stuff inside of core/components/ is a pretty standard approach, and if you protect the core properly (with appropriate .htaccess or nginx web rules), you shouldn’t need to move them outside of the web root.


Thanks opengeek. If, as you say, .htaccess can protect things then I have no objection to moving the core and my PHP code back under the web root, in fact it will make life easier in some ways.

If I can help with any of the documentation in order to help other adopters of 3.x then please let me know how.

I actually meant this line, but that appears to be incomplete.

There is however a fuller example to lock down the core folder in the updated hardening modx documentation.

The core/.htaccess option is also valid.

1 Like

You can protect the core directory from people being able to execute files in there, but that doesn’t protect it from hackers installing or altering all sorts of files in that directory if they get access to your site root. That’s why I’m hoping at some point 3.0 will enable putting the core outside the root.

1 Like

If a hacker gains the type of access needed to pull off such an attack, they’re unlikely to just limit themselves to the site root. But you can still lock down the file permissions even if they’re in the webroot.

Maybe you’ve encountered a different set of hackers :grinning:. Looking back at all the instances I’ve encountered on my sites, only a couple of times have the hackers installed files outside the root. I think hackers are looking to install files that can be accessed on the Internet (for phishing or whatever), so I would think there’s less incentive to put files where no one can possibly execute them, regardless of htaccess settings. Moving the core just makes it less likely it will be corrupted by a hack, so potentially less work to restore a site. Plus I like keep the root directory nice and clean, with as little stuff in there as possible!

Fair point.

Post must be at least 20 characters.