Note: while we update this article regularly, please check the latest stats by clicking the software names in the first column of the table below.
Does your CMS let you sleep at night?
The days of security through obscurity or thinking your site is “too small” to attract the attention of malicious actors are over. Automated tools let hackers and script kiddies seek out and exploit insecure websites.
Every website—no matter its size or significance—is a target.
Hacked sites can be used for an almost limitless set of nefarious purposes: defaced to promote an agenda or for a reputation boost in the hacker community, sending spam to sell “little blue pills”, distributing malware, inserting hidden links to other sites in an effort to boost search results, redirect attacks to land visitors on untrusted or “adult-themed” sites, phishing scams, or even mining Bitcoin.
If you’re especially unfortunate, hackers will compromise your site to steal data, or worse.
MODX Revolution was architected from day one with security in mind. All database operations using Revo’s public APIs use xPDO. This is an intermediate database layer, based on the PHP PDO project (smartly adopted by Drupal for version 8), that ensures code is properly sanitized before being saved to the database. This aims to prevent SQL injection attacks common in many web platforms today.
The following number of vulnerability reports had been recorded for globally used software with more than a decade of use at the US Government’s National Institute of Standards and Technology National Vulnerability Database. This page uses statistics current as of October 22, 2024.
CMS | Vulnerabilities | Most Recent (#) | Previous (#) |
---|---|---|---|
MODX | 39 | February 26, 2022 (1) | July 24, 2019 (1) |
WordPress | 10,914 (280×) | Today (11) | Yesterday (1) |
Drupal | 1,108 (28×) | August 29, 2024 (1) | July 4, 2024 (1) |
Joomla! | 1,188 (30×) | Yesterday (1) | July 9, 2024 (1) |
Keep up with updates
A word to the wise, as a website owner, you have an ongoing responsibility to keep up with updates—for both your application that powers your website, and any other Extras, Add-ons, Plugins or Modules you use. When new releases of the platform that powers your website come out, you should, in almost all circumstances, install them to keep your site safe. It’s not a guarantee against compromise, but it is a key part of keeping your site as safe as possible.
Some additional basic guidelines to follow as a part of your overall security strategy:
- Keep up with updates—as stated above, this is critical as developers often patch known vulnerabilities with each release. This applies to both the core software powering your site and any third-party plugins used as well.
- Keep your hosting environment/OS up to date—you must keep up with server upgrades, from PHP to your database to your web server and even the underlying OS and system-level components like OpenSSL.
- Keep your server clutter-free—remove old files and scripts you're no longer using on your server to reduce possible attack vectors.
- Employ a WAF—a Web Application Firewall can help block attacks before they ever reach your website.
- Serve your site via HTTPS—encrypted SSL traffic prevents “Man in the Middle” attacks (and yes, there are still some sites with no or expired SSL certificates).
Keeping updated is easy in MODX Cloud
One of the reasons we created MODX Cloud was to make maintaining a site—the right way—much easier. MODX Cloud’s server software stack is monitored and updated as patches are released to help keep malicious people at bay. MODX Cloud also makes it easy to add SSL certificates, backup your sites on demand, and in general does the things you would expect from a properly secured and managed platform.
While the allure of auto-updaters is understandable, that automation can cause more problems for customized websites. In MODX Cloud, you can quickly clone a site to a test instance (for free), review the upgraded website out of the public view, then apply the upgrade to your live site after verifying everything works. All by just clicking a few buttons in an intuitive online hosting Dashboard.
Security is of paramount importance when picking a platform. MODX’s early decisions to focus on and dedication to security and privacy mean you can sleep well at night.
Benefits for Organizations
- MODX Revolution is a proven platform with a 20-year track record
- Architected for security—Two Factor Authentication (2FA) Extras to enhance it
- Granular control over creating, accessing or publishing content
For End Users & Site Builders
- Peace of mind from a strong security track record
- Quality Extras that use public APIs are of high quality and safe