Why We Don't Do “Powered By…” by Default

While it drives VCs, marketing mavens, SEO pundits and advisors crazy, long ago we made the decision to do what’s right by site owners. We don't put anything in our software that make it easily identifiable as a MODX-powered website. It’s may have slowed our adoption, but we stand by it being the right thing for end users.

By Ryan Thrash  |  May 29, 2012  |  4 min read
Why We Don't Do “Powered By…” by Default

Allow me paint an unfortunate picture of what happens too often to websites. For those that don't know, a “script kiddie” is someone who uses tools available in the nether regions of the Internet to hack your website for fun, ego trips and profit—also known as "p0wning" your site. This is not FUD (Fear, Uncertainty and Doubt), but a somber reality of the Internet today.

Beware the neckbeard, for they come with strong mojo! This man is not an evile hacker; any resemblances to someone you may know that is in fact an evile hacker is purely coincidental. Most likely. Photo courtesy XRWN. (Actually, he just might be one after all. Now I fear him and my use of the Flickr Creative Commons image search.)
  • Step 1—some nefarious evil computer genius with ample neck beardage figures out a security compromise for a version of the software that runs your website, or some of the software bundled with it. They then distribute what's known, to those skilled in the art, as a "script" to their minions: the script kiddies. (Their computer may be set up in their mom's basement, mind you, but they're still wickedly-crafty bastards!)
  • Step 2—script kiddies worldwide download said "warez" and "pr0n" distribution scripts to load into their Hack-o-Mattic 3000 software, or whatever it's called.
  • Step 3—While bouncing off the walls with evil anticipation, pinkies ready for mouth-corner application, they Google “powered by …” to find unwitting targets (or some variation thereof … this is autoamted, too). Robert's your Mother's brother, and your site gets p0wned. Script kiddies who compromise the most sites—some even band into gangs—gain clout amongst peers, or even earn cash for their highjinx.

<

p>Thousands of sites now distribute the latest screener videos, XXX "art", or infect web surfers’ computers with the latest zombie botnet software. (And subsequently, many are banished from Google search indexes.) This is all possible in part thanks to software that makes it far too easy easy to ID what powers websites.

<

p>Which is precisely why we don’t at MODX.

<

p>In fact, you can make a MODX site look and work like any of the software listed in the chart below, or Java apps, or .Net sites or even commercial software.

The Right Choice? Your call…

<

p>There's lies, damn lies, and statistics. Draw your own conclusions.

Security advisories at Secunia.com for most deployed open source Content Management Systems
SoftwareExtremely, Highly or Moderately CriticalTotal Results
Joomla 417518
WordPress 273495
Drupal 132552
Typo3 74137
MODX 713

Security by Obscurity is Not the Answer

<

p>By no means do we advocate security through obscurity as the right strategy to keep your site safe. You should have a great host that cares about security and is financially stable. Developers helping build your site should know what they're doing, have a track record of success, and recommend well-architected software. Your software vendor should have a phone number you can call and offer commercial support in the event you really need help. And you should keep other software on your server and the rest of your infrastructure up to date.

<

p>Definitely make sure you don't wantonly upload some “cool” plugin or module that's not been thoroughly vetted as safe.

<

p>But we also think that keeping a low profile and not shouting to the world what powers your website, whether you realize you're doing it or not, is a smart part of keeping your site 100% under your control.

<

p>On the Internet, it's a lot easier to poke the shark than you could ever imagine, even if you don't mean to do so. Don't make it easy for them to figure out who to bite.

TL;DR (More Internet lingo: Too Long; Didn't Read)

<

p>Nefearious netizens use tools to identify sites with easily exploitable vulnerabilities. Version checking and identifying what powers websites is one easy way for them to target sites for evil purposes.

<

p>MODX makes it a harder—virtually impossible if a server admin spends a few extra minutes configuring MODX—to target your site using these techniques. With MODX you're 100% in control, and it only outputs exactly what you tell it to ouptput.