Why We Don’t Do “Powered By…” by Default

Allow me paint an unfortunate picture of what happens too often to websites. For those that don't know, a “script kiddie” is someone who uses tools available in the nether regions of the Internet to hack your website for fun, ego trips and profit—also known as "p0wning" your site. This is not FUD (Fear, Uncertainty and Doubt), but a somber reality of the Internet today.

Beware the neckbeard, for they come with strong mojo! This man is not an evile hacker; any resemblances to someone you may know that is in fact an evile hacker is purely coincidental. Most likely. Photo courtesy XRWN. (Actually, he just might be one after all. Now I fear him and my use of the Flickr Creative Commons image search.)
  • Step 1—some nefarious evil computer genius with ample neck beardage figures out a security compromise for a version of the software that runs your website, or some of the software bundled with it. They then distribute what's known, to those skilled in the art, as a "script" to their minions: the script kiddies. (Their computer may be set up in their mom's basement, mind you, but they're still wickedly-crafty bastards!)
  • Step 2—script kiddies worldwide download said "warez" and "pr0n" distribution scripts to load into their Hack-o-Mattic 3000 software, or whatever it's called.
  • Step 3—While bouncing off the walls with evil anticipation, pinkies ready for mouth-corner application, they Google “powered by …” to find unwitting targets (or some variation thereof … this is autoamted, too). Robert's your Mother's brother, and your site gets p0wned. Script kiddies who compromise the most sites—some even band into gangs—gain clout amongst peers, or even earn cash for their highjinx.

Thousands of sites now distribute the latest screener videos, XXX "art", or infect web surfers’ computers with the latest zombie botnet software. (And subsequently, many are banished from Google search indexes.) This is all possible in part thanks to software that makes it far too easy easy to ID what powers websites.

Which is precisely why we don’t at MODX.

In fact, you can make a MODX site look and work like any of the software listed in the chart below, or Java apps, or .Net sites or even commercial software.

The Right Choice? Your call…

There's lies, damn lies, and statistics. Draw your own conclusions.

Security advisories at Secunia.com for most deployed open source Content Management Systems
SoftwareExtremely, Highly or Moderately CriticalTotal Results
Joomla 417518
WordPress 273495
Drupal 132552
Typo3 74137
MODX 713

Security by Obscurity is Not the Answer

By no means do we advocate security through obscurity as the right strategy to keep your site safe. You should have a great host that cares about security and is financially stable. Developers helping build your site should know what they're doing, have a track record of success, and recommend well-architected software. Your software vendor should have a phone number you can call and offer commercial support in the event you really need help. And you should keep other software on your server and the rest of your infrastructure up to date.

Definitely make sure you don't wantonly upload some “cool” plugin or module that's not been thoroughly vetted as safe.

But we also think that keeping a low profile and not shouting to the world what powers your website, whether you realize you're doing it or not, is a smart part of keeping your site 100% under your control.

On the Internet, it's a lot easier to poke the shark than you could ever imagine, even if you don't mean to do so. Don't make it easy for them to figure out who to bite.

TL;DR (More Internet lingo: Too Long; Didn't Read)

Nefearious netizens use tools to identify sites with easily exploitable vulnerabilities. Version checking and identifying what powers websites is one easy way for them to target sites for evil purposes.

MODX makes it a harder—virtually impossible if a server admin spends a few extra minutes configuring MODX—to target your site using these techniques. With MODX you're 100% in control, and it only outputs exactly what you tell it to ouptput.

Nice to meet you…

If you’re reading this, chances are you need assistance. Let’s get started:




How can we help?

Tell us the general reason for reaching out so we can connect you with the right team.

MODX Diagnostics

MODX’s Open Source software is 100% free for anyone to download and use. As the team behind it for more than a decade, we know it inside, out, and then some.

Like any software, sometimes things break; we can usually fix them very fast. But, we do have to charge for our time to support our families and fund its ongoing development. There are almost an unlimited variety of things that can cause problems, including server upgrades, corrupt files, accidental changes, outdated software, database hiccups and more. We will save you a lot of time and frustration, and get you back in action.

With our MODX Diagnostic service, we determine the source of issues, and often fix them on the spot. For more extensive problems needing more time, like hacked sites or overdue upgrades, we provide additional estimates and guidance. MODX Diagnostics cost $99 for standard business hours support (US Central Time), or $500 for priority, rush or after-hours emergencies.

If you don’t have budget for professional support from the source, you look for answers in the MODX Forums or Documentation, or seek help from MODXers in the Community Slack, or from MODX Professionals near you.

  I’m not ready to pay, let’s talk…

After submitting this form and completing payment, we will collect your access credentials in a secure support ticket. We look forward to helping restore your site back to full health.

Hi! We’d love to work together.

If you have a simple problem that needs our assistance, please request quick fix help here.

What should we keep in mind?

The project involves:
(select all that apply)
What are you planning?
(select all that apply)

Some other considerations

Specific project information

Commercial Support Customers

Customers with a current Commercial Support agreeement can get help using this form. Learn more about MODX Preferred Support.

Let’s get started

What seems to be the issue?

Contact MODX

We welcome conversations, ideas, inquiries and even the occassional cold sales call, but support and requests about how to use MODX software sent via this form cannot be guaranteed a response. That said, we try to respond to everyone that reaches out to us within two business days.

To report a security issue or file a bug for MODX software, please email security [at] modx.com to reach our security team. If you are looking for help with MODX, many times you can find an answer in the MODX Forums or MODX Documentation, from MODXers in realtime at the MODX Community Slack Channel, or from a MODX Professional near you.

How can we help?