Note: we update this article regularly, but please check the latest stats by clicking the software names in the first column of the table below.
Does your CMS let you sleep at night?
The days of security through obscurity or thinking your site is “too small” to attract attention are over. Automated tools let malicious individuals seek out and exploit insecure websites. Anyone, no matter how large or small the site owner, is a target. Hacked sites are frequently used to send spam selling “little blue pills”, inserting hidden links to other sites in an effort to boost search results, or even to mine bitcoins. If you’re especially unfortunate, malicious script kiddies and hackers will compromise your site to steal personal data, or much worse.
MODX Revolution was architected from day one with security in mind. All database operations using Revo’s public APIs use xPDO. This is an intermediate database layer, based on the PHP PDO project (smartly adopted by Drupal for version 8), that ensures code is properly sanitized before being saved to the database. This aims to prevent SQL injection attacks common in many web platforms today.
The following number of vulnerability reports had been recorded for globally used software with more than a decade of use at the US Government’s National Institute of Standards and Technology National Vulnerability Database. This page was updated as of August 15th, 2022. Click each software name in the first column for current statistics:
|CMS||Vulnerabilities||Most Recent (#)||Previous (#)|
|MODX||41||February 26, 2022 (1)||October 31, 2021 (1)|
|WordPress||5,150 (126×)||Today (10)||Yesterday (22)|
|Drupal||1,135 (28×)||July 20, 2022 (1)||June 09, 2022 (2)|
|Joomla!||1,171 (29×)||July 10, 2022 (1)||May 06, 2022 (2)|
Keep up with updates
A word to the wise, as a website owner, you have an ongoing responsibility to keep up with updates—for both your application that powers your website, and any other Extras, Add-ons, Plugins or Modules you use. When new releases of the platform that powers your website come out, you should, in almost all circumstances, install them to keep your site safe. It’s not a guarantee against compromise, but it is a key part of keeping your site as safe as possible.
Some additional basic guidelines to follow as a part of your overall security strategy:
- Keep up with updates—as stated above, this is critical as developers often patch known vulnerabilities with each release.
- Keep your hosting environment/OS up to date—you have to keep your whole stack upgraded, from PHP to your database to your web server and even the underlying Operating System and system level components like OpenSSL.
- Keep your server clutter-free—remove old files and scripts you're no longer using on your server to reduce possible attack vectors.
- Employ a WAF—a Web Application Firewall can help block attacks before they ever reach your website.
- Serve your site via SSL—encrypted SSL traffic prevents “Man in the Middle” attacks.
Keeping updated is easy in MODX Cloud
One of the reasons we created MODX Cloud was to make maintaining a site—the right way—much easier. MODX Cloud’s server software stack is monitored and updated as patches are released to help keep malicious people at bay. MODX Cloud also makes it easy to add SSL certificates, backup your sites on demand, and in general does the things you would expect from a properly secured and managed platform.
While the allure of auto-updaters is understandable, that automation can cause more problems for customized websites. In MODX Cloud, you can quickly clone a site to a test instance (for free), review the upgraded website out of the public view, then apply the upgrade to your live site after verifying everything works. All by just clicking a few buttons in an intuitive online hosting Dashboard.
Security is of paramount importance when picking a platform. MODX’s early decisions to focus on and dedication to security and privacy mean you can sleep well at night.
Benefits for Organizations
- MODX Revolution is a proven platform with a track record of 16+ years
- Architected for security—Two Factor Authentication (2FA) Extras to enhance it
- Granular control over creating, accessing or publishing content
For End Users & Site Builders
- Peace of mind from a strong security track record
- Quality Extras that use public APIs are of high quality and safe