MODX Website Security Audit

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

MODX Website Security Audit

Medium

~2-3 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

MODX Site Security Audit

MODX Revolution has good basic security — connectors are protected by tokens, control panel (/manager/) is closed to bots. Nevertheless, outdated Extra, incorrect file permissions, and custom code create vulnerabilities.

Scanning

# CMS-specific scanner
python3 -m drupwn --mode detect https://yourdomain.com  # no MODX-specific, use general

# Nikto
nikto -h https://yourdomain.com

# Dirbusting (search for hidden files)
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://yourdomain.com/FUZZ

Checklist

File Structure:

# Is core above web-root?
ls /var/www/yourdomain.com/core/  # Should NOT exist (if moved)

# Permissions on config.core.php
stat /var/www/yourdomain.com/config.core.php
# 644 or less

# Permissions on assets folder
find /var/www/yourdomain.com/assets/ -name "*.php" -type f
# PHP files in assets — sign of compromise

# Installer temporary files
ls /var/www/yourdomain.com/setup/  # should not exist after installation

Nginx protection for MODX:

# Close system directories
location ~ /(core|manager/includes)/ { deny all; }
location ~ /config\.core\.php$ { deny all; }

# Forbid PHP in assets (uploaded files)
location ~* /assets/.*\.(php|phtml|php3)$ { deny all; }

# Restrict access to manager
location /manager/ {
    allow 1.2.3.4;  # your IP
    deny all;
}

MODX Version:

# Hide MODX version from HTML
# System → Settings → manager_login_startup_update = 0
# Check meta generator in HTML:
curl -s https://yourdomain.com/ | grep -i "modx\|meta.*generator"

System Security Settings:

session_cookie_secure: Yes   (HTTPS only)
session_cookie_httponly: Yes
session_cookie_samesite: Strict
failed_login_attempts: 5    (login attempt limit)
blocked_minutes: 60         (block after limit exceeded)

Check Extra for Vulnerabilities: MODX vulnerability registry: no centralized, but check versions in Package Manager. Outdated Extra with known vulnerabilities: FormLister (outdated, use FormIt instead), some Ajaxform versions.

Custom Code — SQL Injection:

grep -r "\\\$_GET\|\\\$_POST" core/components/myextra/
grep -r "->query\|->exec" core/components/myextra/ | grep -v "prepare\|quote"

// Unsafe:
$db->query("SELECT * FROM table WHERE id = " . $_GET['id']);

// Correct:
$c = $modx->newQuery('MyObject');
$c->where(['id' => (int)$_GET['id']]);

CSRF Protection: MODX uses connector tokens to protect against CSRF in Connector requests. Ensure custom connectors don't bypass this check.

Security Headers

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000" always;

Timeline

MODX site security audit with report — 1 day. Remediation of found issues — 4–8 hours.