Security and Your MODX Articles Blog

There’s serious security problem with the default installation of the Articles blog extra: It exposes your MODX username — the one you use to log in to the Manager — on every page. This opens you up to a brute-force attack that could allow miscreants to gain complete control of your site. This vulnerability may be fixed in future versions of Articles, but for now, it’s a good idea to make some changes to your Articles Templates and Chunks.

Site hackers have bots that are visiting hundreds of thousands of web sites. They try common Administrator usernames like “admin” “root” and “webmaster” and attempt to log in with both selected passwords (e.g., dates between 1900 and the current year, common names for humans and pets, dictionary words, etc.) and random passwords generated in code. For a fairly reasonable price, you can now buy a computer designed just for this task and capable of trying millions of passwords per second.

Knowing the username of the main administrator for a site is a tremendous advantage in this process, so having your Login username show up all over your blog is asking for trouble. Fortunately, the fix is relatively easy.

The name that gets displayed on your blog pages is set in several Articles Templates and Chunks. Hopefully, you’ve duplicated these so that your changes won’t get overwritten when you upgrade Articles. This is even more important for the ones that display user names. The main ones to change are the ArticleTemplate Template and the ArticleRow Tpl Chunk, but you should also check any other templates and Tpl chunks that you might have added a username to.

To protect your site, just change all occurrences of “username” to “fullname.” At present, there is one instance of “username” in the ArticleRow Tpl chunk and two in the ArticlesTemplate Template. You should also go to Security | Manage Users and check the Full Name field in your User Profile to make sure that it’s filled in and is what you want to show as the author of your blog posts. Once you’ve made the changes, clear the site cache. There’s no need to mess with any individual Articles unless you have typed your username into the text of one. Once you edit the Template and chunks, the full name will show up for all existing and future articles.

Note that the username will still show up when you select Manage Articles in the MODX Manager, but it will not be displayed in the front end and will not be part of any front-end HTML.

Once you’ve changed the placeholders, your site should be much safer (unless your full name is “admin” 😉 )

One last time: If your Manager Login username is “admin” and you value your site’s security at all, change it right now!

For more information on how to use MODX to create a web site, see my web site Bob’s Guides, or better yet, buy my book: MODX: The Official Guide.

Looking for quality MODX Web Hosting? Look no further than Arvixe Web Hosting!

Tags: , , , | Posted under MODX | RSS 2.0

Author Spotlight

Bob Ray

Bob Ray is the author of MODX: The Official Guide and over 30 MODX add-on components. He hosts Bob's Guides, a source of valuable information for MODX users, and has been very active in the MODX Forums with over 19,000 posts.

Leave a Reply

Your email address will not be published. Required fields are marked *