The MODX Cloud infrastructure is regularly maintained, and the security of your sites is our number one priority in MODX Cloud. Further, we employ technology that allows us to patch the Operating System kernel without downtime due to forced reboots. You should never worry about the infrastructure on which your sites run in MODX Cloud, or ever having to maintain servers yourself. 

Critical System Maintenance

Critical security patches are applied as they are released, regardless of normal scheduled patch windows. Kernel updates are automatically applied without requiring a reboot, within one hour of release.

MODX subscribes to mailing lists for advanced notice of security patch releases. For example, the day that critical security issues like ShellShock, Heartbleed, POODLE, FREAK and BEAST were disclosed, the MODX Cloud infrastructure was patched against their exploitation. (More info on those here.)

Regular Weekly Patching

We also schedule time each week for other patches, bugfixes and updates, so important software components are kept up to date. PHP is a custom build and is patched when security vulnerabilities that affect our infrastructure, or otherwise critical bug fixes or vulnerability patches, are released.

MODX Cloud Server Maintenance FAQ

How frequently does MODX Cloud perform downtime notification checks and notifications of outages via email?

We monitor services on the platforms every minute for availability. Outages trigger both notices to our infrastructure channels in Slack in addition to Pager Duty alerts to the DevOps teams. MODX does not monitor individual sites for uptime without an added service (see Uptime+, below).

For most individual sites, customers can use uptime monitoring services of their choice (StatusCake is a good one), though we strongly suggest multiple failed checks from multiple data centers before declaring an outage. If your site experiences an outage, you can open a support ticket from the MODX Cloud Dashboard for assistance.

For sites with our Uptime+ service, we not only monitor the uptime of the site itself but also have failover to other data centers in the event an outage is detected.

All customers can subscribe to email notifications for uptime or maintenance notifications at https://status.modxcloud.com/.

How often do restarts occur to release RAM and/or CPU?

We restart individual services when service degradation is detected by our monitoring platforms. We do not regularly reboot servers as this is not a requirement and is counterproductive because Linux uses unused memory as a disk cache in its default configuration. There are no memory constraint issues observed on a regular day-to-day basis.

How often does MODX Cloud run security update checks?

We see and evaluate new alerts daily. This augments the regular security notices that come from running LTS versions of the operating systems. In addition, we subscribe to numerous security mailing lists and participate in server security discussion groups to monitor emerging threats and vulnerabilities.

How frequently are security updates checked and installed?

Within 24 hours of any update security release, and one week of significant bug fixes (though we strive for sooner). We use Kernel Care for rebootless kernel updates to maximize uptime.

How often is the server stack optimized for performance?

We regularly update our core stack of software, e.g., PHP 8.2 and 8.3 are rolling out now. Configurations and initial tuning were created for high-performance, secure PHP marketing websites (especially MODX). We run the latest LTS versions of other server software stacks supported by Ubuntu with regular patches provided through its patch repositories/service.

Customers with Private Servers can have their infrastructure tuned to their specific application(s), including the database and PHP configuration, leverage nginx caching, and install additional third-party software like Redis for specialty caching/performance/scaling purposes.

How frequently is the server resource usage monitored for security?

We monitor all services on the servers to ensure they're running in typical/expected usage patterns. Anomalies outside of this trigger Slack alerts and/or PagerDuty escalations, depending on type and severity. This is continuous and real-time.

Does MODX Cloud offer monthly website stress and capacity tests up to 10K virtual users?

We do not allow stress tests or adversarial pen-testing on multi-tenant platforms as it is a violation of the Acceptable Use Policy; it can potentially negatively affect neighbor sites depending on the methods used.

For Private Servers, testing frequency is purely up to the client's schedule and does not violate the AUP.

How Do Private Servers and Multi-tenant platforms differ?

Both are highly tuned software stacks designed to serve the highest number of visitors the most efficiently, quickly, and securely. Both use chroots for isolation between sites.

Multi-tenant platforms are very large, multi-processor, bare metal servers that host multiple sites. These are available to anyone with a MODX Cloud Account.

A Private Server (PS) is a Virtual Machine, typically running 4-cores and 8 GB RAM configurations only available to one account. Properly cached sites on our highly tuned PSes are capable of serving 1500-5000 concurrent visitors or more depending on the type of site and the type of caching deployed.
Private Servers can further support custom configurations that are not possible on the large multi-tenant platforms such as locking SSH connections to specific IPs, adding Redis for specialty caching/performance/scaling, or installing OpenSearch for enterprise search applications, to name a few.

Finally, Private Servers can be deployed in a High Availability (HA) configuration with either 3 or more nodes for critical uptime or scaling requirements.