Your core folder is (partially) accessible to the public

Good day,

Is there an easy way to remove that message?
I read, something can be done on htaccess file, or may change the permission on core folder
I beleive it’s a permsision folder, isn’t?


My preferred way is to add a rewrite in the root of the site (in the htaccess) that sends such requests to MODX with a non-existent alias.

# Block access to folders/files people have no need to touch
RewriteRule ^(\.|core|foo|bar|config\.core\.php) /index.php?q=doesnotexist[L]

With this approach, MODX will serve up a 404 as if it doesn’t exist. Other solutions for denying direct access may cause the core folder to return a 403 permission denied instead, or a generic server-generated 404 error that’s distinctly different from MODX and still confirms the directory/file exists.

1 Like

Dear Markh,
Thanks for replying.
I do not understand exactely what does this Rewrite rules.

It mean, if a file ending with config.core.php, which is in either core, foo or bar folder, the people who are trying to access will be redirect to a 404 page?

So in my case, I should add

RewriteRule ^(\.|core|config\.core\.php) /index.php?q=doesnotexist[L

Will it rekove the message?


It would be great to have your example in the core .htaccess!

1 Like

It will match anything in the root, anything named foo, bar, or config.core.php, as well as anything starting with a dot. Yes, that will protect your core folder and hide the warning. :slight_smile: