MODX and Security – another reason it’s our CMS of choice

9th November 2015

As you’ll probably know by now, our CMS of choice here at Studio Republic is MODX, a now well-established, but still relatively unknown platform that we’ve been using for over 6 years, since the early days of its release.

One of the main reasons we prefer MODX over platforms such as Wordpress or Drupal is security.

A major downside of using a larger CMS like Wordpress or Drupal is that the more popular you become as a platform, the bigger the target you paint on yourselves.

We avoid Wordpress specifically for its numerous and persistent security issues, as we’re reluctant to let a system with so many vulnerabilities on our server, which hosts all of our clients’ sites.

The CVE Index (Common Vulnerabilities and Exposures) is a database of known vulnerabilities in various platforms used across the internet today, keeping tracks on bugs as they’re found and submitted.

In total, Wordpress has had 906 entries into this list, with 85 just in 2015. Joomla, another hugely popular CMS has had 915 entries, with 120 so far in 2015. MODX? Total Entries, 28. With just 8 since 2014.


On another vulnerability tracking site, Secunia, the patterns are similar:

This is a clearly a huge difference in numbers. Obviously, the numbers of installations of MODX across the internet are much less than those of both Wordpress and Joomla, but there are other aspects which make the larger CMS’s easier targets.

In many, particularly those that heavily use templates, the code that’s output when you view a page contain identifiers which let you easily identify what CMS or platform they’re built on.

This allows hackers or potential attackers to quickly find what CMS you’re using, what version it’s running on and what plugins you’re using, along with their versions as well.

Having so much information so readily available makes life far too easy for potential hackers.


On the other hand, MODX doesn’t inject any extra markup to a site, generating pure HTML, making it considerably harder to identify a MODX site from a site written in plain HTML from scratch.

MODX also has another trick up its sleeve in the way it handles databases and queries. The big names in CMS, Wordpress, Joomla et al. all use MYSQL to create and maintain their databases.

While MODX does have databases built in MYSQL, the way they’re interacted with is very different. MODX uses a PHP extension called xPDO (open eXtensions to PDO (PDO refers to a database abstraction layer called PHP Data Objects).

xPDO is a core part of MODX, and fundamental to the way it works. It behaves as a wrapper for the MYSQL database, sanitising queries before they can reach the database.

This means it’s considerably harder for potential attackers to inject malicious code into SQL queries (a very common cause of sites being hacked, known as SQL Injection).

By adding this extra layer of abstraction to the way the database is interacted with, we can ensure that our clients sites remain secure and well protected across the board.

Core updates to MODX often include updates to xPDO, bringing new levels of security each time a patch is applied.

We offer maintenance contracts for our clients here at Studio Republic, upgrading MODX to the latest version each time a patch is released, at a cost of £240 per year, or, if clients would rather avoid an annual fee, we can install individual patches as they are released for £120.

MODX releases around 4-6 patches a year, and we highly recommend keeping it up to date to ensure site security is the best it can be.


Get in touch today to find out more.