Hardening MODX 3

jber · March 14, 2023, 6:14pm

Hello,

Modx: 3.0.3
Apache: 2.4.54
PHP: 7.4.33
MySQL: 10.3.37-MariaDB-log-cll-lve

English is not my first language, be indulgent I use Google translation.

I upgraded a site from version 2.8.5 whose core was outside the root directory and the manager folder and the connectors folder were renamed, to version 3.0.3.

It is mentioned in the documentation that MODX version 3 no longer allows moving the core outside of the root directory due to how Composer works and autoloads in MODX 3.0.

However, despite the fact that the core of my site in version 3.0.3 is outside the root directory, everything works very well.

I want to bring the kernel back to the root directory in order to protect it and the manager according to the new documentation and to ensure optimal functioning for MODX.

I have a few questions about the “.htaccess” code that is recommended to be used according to the documentation:

Should code for core and manager be in web root’s htaccess file?
My domain name is of type “mysite.ca”, can someone give me an example with “mysite.ca” with the code proposed in the documentation:

—————— Core ——————

RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
# Block access to dotfiles and folder people have no need to touch
RewriteRule ^(\.(?!well_known)|_build|_gitify|_backup|core|config.core.php) /index.php?q=doesnotexist [L,R=404]

—————— Manager ——————

RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^promos\example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^blog\.example\.com$ [NC]
RewriteRule ^manager/ /index.php?q=doesnotexist [L,R=404]

Thank you for your help.

halftrainedharry · March 15, 2023, 3:05pm

I could be wrong, but when you have .htaccess files in the subfolders “core” and “manager” (like there are if you renamed the ht.access files) then these changes to the root .htaccess file won’t have any effect (as the .htaccess files in the subfolders take precedence).

Yes it seems, that this code is supposed to be added to the .htaccess file in the root folder.

In general, replace example\.com in the examples with your domain name mysite\.ca. (The . has a special meaning in a regular expression and has therefore to be escaped by a backslash \)

jber:

RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^promos\example\.com$ [OR]
RewriteCond %{HTTP_HOST} ^blog\.example\.com$ [NC]
RewriteRule ^manager/ /index.php?q=doesnotexist [L,R=404]

This code should only be applied if you have a specific (sub-)domain that’s only used to access the manager. In this case, add a RewriteCond for all the other existing (sub-)domains to deny manager access for them.

jber · March 17, 2023, 12:27am

Thanks for your help. I will implement your advice.