Security and Your MODX Articles Blog

Make sure your MODX Articles Blog doesn't create a security risk for your site.


There's serious security problem with the default installation of the MODX Articles blog extra: It exposes your MODX username — the one you use to log in to the Manager — on every page. This opens you up to a brute-force attack that could allow miscreants to gain complete control of your site. This vulnerability may be fixed in future versions of Articles, but for now, it's a good idea to make some changes to your Articles Templates and Chunks.

Site hackers have bots that are visiting hundreds of thousands of web sites. They try common Administrator usernames like "admin" "root" and "webmaster" and attempt to log in with both selected passwords (e.g., dates between 1900 and the current year, common names for humans and pets, dictionary words, etc.) and random passwords generated in code. For a fairly reasonable price, you can now buy a computer designed just for this task and capable of trying millions of passwords per second.

Knowing the username of the main administrator for a site is a tremendous advantage in this process, so having your Login username show up all over your blog is asking for trouble. Fortunately, the fix is relatively easy.

The name that gets displayed on your blog pages is set in several Articles Templates and Chunks. Hopefully, you've duplicated these so that your changes won't get overwritten when you upgrade Articles. This is even more important for the ones that display user names. The main ones to change are the ArticleTemplate Template and the ArticleRow Tpl Chunk, but you should also check any other templates and Tpl chunks that you might have added a username to.

To protect your site, just change all occurrences of "username" to "fullname." At present, there is one instance of "username" in the ArticleRow Tpl chunk and two in the ArticlesTemplate Template. You should also go to Security | Manage Users and check the Full Name field in your User Profile to make sure that it's filled in and is what you want to show as the author of your blog posts. Once you've made the changes, clear the site cache. There's no need to mess with any individual Articles unless you have typed your username into the text of one. Once you edit the Template and chunks, the full name will show up for all existing and future articles.

Note that the username will still show up when you select Manage Articles in the MODX Manager, but it will not be displayed in the front end and will not be part of any front-end HTML.

Once you've changed the placeholders, your site should be much safer (unless your full name is "admin" ;) ).

One last time: If your Manager Login username is "admin" and you value your site's security at all, change it right now!



Comments (3)

  1. Buddhi MagarMay 23, 2013 at 04:06 PM

    Great articles. Thank you so much.

  2. Susan OttwellJun 19, 2013 at 04:30 AM

    Seems to me that this might also apply to any getResources tpls that use the "username" to indicate the author of the post, whether using Articles or not. The example for getResources in the rtfm uses it.

  3. Bob RayAug 01, 2013 at 12:35 AM

    Yes, indeed.


Please login to comment.

  (Login)