Why We Don't Do “Powered By…” by Default

Allow me paint an unfortunate picture of what happens too often to websites. For those that don't know, a “script kiddie” is someone who uses tools available in the nether regions of the Internet to hack your website for fun, ego trips and profit—also known as "p0wning" your site. This is not FUD (Fear, Uncertainty and Doubt), but a somber reality of the Internet today.

Beware the neckbeard, for they come with strong mojo! This man is not an evile hacker; any resemblances to someone you may know that is in fact an evile hacker is purely coincidental. Most likely. Photo courtesy XRWN. (Actually, he just might be one after all. Now I fear him and my use of the Flickr Creative Commons image search.)
  • Step 1—some nefarious evil computer genius with ample neck beardage figures out a security compromise for a version of the software that runs your website, or some of the software bundled with it. They then distribute what's known, to those skilled in the art, as a "script" to their minions: the script kiddies. (Their computer may be set up in their mom's basement, mind you, but they're still wickedly-crafty bastards!)
  • Step 2—script kiddies worldwide download said "warez" and "pr0n" distribution scripts to load into their Hack-o-Mattic 3000 software, or whatever it's called.
  • Step 3—While bouncing off the walls with evil anticipation, pinkies ready for mouth-corner application, they Google “powered by …” to find unwitting targets (or some variation thereof … this is autoamted, too). Robert's your Mother's brother, and your site gets p0wned. Script kiddies who compromise the most sites—some even band into gangs—gain clout amongst peers, or even earn cash for their highjinx.

Thousands of sites now distribute the latest screener videos, XXX "art", or infect web surfers’ computers with the latest zombie botnet software. (And subsequently, many are banished from Google search indexes.) This is all possible in part thanks to software that makes it far too easy easy to ID what powers websites.

Which is precisely why we don’t at MODX.

In fact, you can make a MODX site look and work like any of the software listed in the chart below, or Java apps, or .Net sites or even commercial software.

The Right Choice? Your call…

There's lies, damn lies, and statistics. Draw your own conclusions.

Security advisories at Secunia.com for most deployed open source Content Management Systems
SoftwareExtremely, Highly or Moderately CriticalTotal Results
Joomla 417518
WordPress 273495
Drupal 132552
Typo3 74137
MODX 713

Security by Obscurity is Not the Answer

By no means do we advocate security through obscurity as the right strategy to keep your site safe. You should have a great host that cares about security and is financially stable. Developers helping build your site should know what they're doing, have a track record of success, and recommend well-architected software. Your software vendor should have a phone number you can call and offer commercial support in the event you really need help. And you should keep other software on your server and the rest of your infrastructure up to date.

Definitely make sure you don't wantonly upload some “cool” plugin or module that's not been thoroughly vetted as safe.

But we also think that keeping a low profile and not shouting to the world what powers your website, whether you realize you're doing it or not, is a smart part of keeping your site 100% under your control.

On the Internet, it's a lot easier to poke the shark than you could ever imagine, even if you don't mean to do so. Don't make it easy for them to figure out who to bite.

TL;DR (More Internet lingo: Too Long; Didn't Read)

Nefearious netizens use tools to identify sites with easily exploitable vulnerabilities. Version checking and identifying what powers websites is one easy way for them to target sites for evil purposes.

MODX makes it a harder—virtually impossible if a server admin spends a few extra minutes configuring MODX—to target your site using these techniques. With MODX you're 100% in control, and it only outputs exactly what you tell it to ouptput.

About
Ryan is a Christian, the lucky husband of an amazing wife, and father of two usually great kids. A native redneck from East Texas living in Dallas for over 20 years, he's lost a bit of the verbal twang over the years, but still loves to get back to his roots over charcoal with a chunk of meat and a few frosty bevs. Ryan co-founded MODX in 2004, where he works every day helping build the company and its products. 

http://thrash.me


6 Comments


  1. Gauke Pieter
    May 29, 2012 at 02:13 PM
    I like your view on this Ryan and I have to admit that I never tried the advanced install. After reading YJ's post however, I tried it immediately and it's sooooo easy :) Thanks!

    1. Matt Gillies
      May 29, 2012 at 02:52 PM
      "...lies, damn lies, and statics." Wait, statistics?

      1. Ryan Thrash
        May 29, 2012 at 02:56 PM
        LOL! "And typos".

        Thanks for the catch. Fixed. :)

      2. Justin Meighan
        Jun 06, 2012 at 10:29 AM
        Do you guys have any metrics around the most popular open source php CMS's?
        Would be nice to see where MODx ranks...

        1. Ryan Thrash
          Jun 06, 2012 at 10:35 AM
          The last time we saw the stats was a couple of years ago, before we started really picking up traction. At that time we were in the Top 10 for deployed PHP applications (both open source and commercial), even despite the fact that MODX is hard to track! Unfortunately, paying $16K/year isn't in our budget right now for access to fresh data.

          1. Ryan Thrash
            Jun 06, 2012 at 10:38 AM
            For further clarification, in the pure CMS category, we were #4 behind WordPress, Joomla and Drupal. Other types of apps (forums, commerce) were ahead of us.

          To leave a comment, please Login.