How Websites Get Hacked and How to Protect Yourself

Modern websites generally rely on software like a content management system (CMS) like MODX, WordPress, Joomla! and Drupal; or, other software like eCommerce tools, Forums, Galleries and similar. CMSs and other software add significant control and many valuable tools for managing your website, users and content.

With any software, there are potential vulnerabilities contained in the code. You may be accustomed to Microsoft and Apple releasing updates to their operating systems regularly. Many of these releases include essential security updates.

Regular Software Releases

Website and CMS software publishers release new versions that include security fixes to help protect site owners from someone exploiting vulnerabilities. When someone discovers or reports a vulnerability, responsible publishers work to fix the bug and publish a new release, depending on the nature and severity of the issue.

MODX's Stellar Track Record

MODX has experienced fewer severe vulnerabilities that resulted in exploitation of websites. In MODX's history, there have been only three major, widespread site hack events. In 2014 there were two; one for Revoution versions below 2.2.15 and another was for sites with AjaxSearch on MODX Evolution 1.0.13 and below.  In July of 2018, there was an unusual widespread attack of sites running 2.6.4 and below and sites with certain Extras installed. Although the recent attack affected many MODX users, it was the first such type of event in the 14 years since we first published MODX.

Comparatively speaking, site owners who run other website software such as WordPress, Joomla! and Drupal have faced many more frequent and damaging exploitation events. To learn more about recent statistics of compromised sites, this report from Sucuri shows the percentage of compromised sites by platform.

Why Was My Site Chosen?

Many site owners and web designers believe that website hacks are targeted attacks. This is not true. Automated attacks account for nearly all hacked websites.

It's Automated and Broad

These automated attacks are scripts (little programs), often hosted on other hacked sites, that connect to many websites to see if any have a known exploit. In many cases, these hacker scripts will have a series of scripts that will look for multiple known vulnerabilities from a long list of popular website software such as WordPress, Joomla!, Drupal, VBulletin, SimpleMachines Forum, etc. The malicious scripts rarely care what software you have installed on your website. If one of the scripts is successful, that's all it takes.

An Analogy

Picture a thief showing up at a huge car park at a shopping center. They might check hundreds of cars to see if one is unlocked. If one is unlocked, they can get in. The thief didn't come to the car park looking for Del Khan's Prius. The thief was looking for one or more open cars. The scripts described above do just that, check hundreds of sites to see which one is open and can be accessed.

In very few instances sites are specifically targeted by hackers. Usually, when a hacker focuses on a website, it is because the site could have high-value information, allow access to high-value information, or would be a valuable target for ransom or to purposefully damage the organization's reputation. Again, this is very rare.

Keeping Your Site Safe

Keeping your website safe from compromise or protected in the event of a hack, is similar to the protections you should have for any computer in your home or office.

1. Keep your software and any related software abreast of the latest releases
2. Take regular backups of your entire website and the database(s) and store them away from the website.
3. Use individual accounts with strong, unique passwords for each person with access to your hosting, website and website software.
4. Do not store critically essential data in the public web directory, or any subdirectory, of your site or hosting like passwords or personal information.

Regular Software Updates

All website software publishers, including MODX, publish announcements for new software releases. In the case of MODX, we post them on the MODX Blog. Also, MODX release announcements will appear in the News Feeds of the MODX Revolution Manager upon login, for most MODX users. MODX publishes anywhere from 4-6 releases a year. Therefore, any MODX site owner should be prepared to upgrade your site 4-6 times each year.

Wordpress, Joomla!, Matomo and other software publishers, announce their releases publicly.

Upgrades in MODX Cloud

For MODX website owners, we have tried to make as accessible as possible to upgrade your site in MODX Cloud using the upgrade Button in the MODX Cloud Dashboard. Once you update your website software, you should log in to upgrade each Extra or Plugin to ensure no outdated software is in use.


Backups are one of the most overlooked tactics for protecting your website from catastrophic damage. It is important to take regular backups and store them away from your website. Some only take backups before making a change or upgrading their site. That backup may help if you get hacked, but you could end up losing months of updates to your website.

Many people take backups and leave them in the same directory on their hosting environment alongside their website. If your site gets hacked and the hack removes files, it's possible to have your backup to be altered or deleted as well. Ideally, you'll take backups and store them outside of your web directory, to an Amazon S3 Bucket or similar.

Backups in MODX Cloud (They're Automatic; Always On)

MODX Cloud automatically backs your website up every night and stores it on another server away from your website. We retain your backups from 1-30 days, depending on your settings, but the standard retention period is seven days. Your MODX Cloud website backup can be restored without technical assistance and can even be restored to a different location to recover lost files if needed.

To keep your MODX Cloud account and website secure, when granting access to your MODX Cloud Dashboard, MODX Manager or SSH or SFTP, you should create individual accounts for each user and require long, unique passwords.

Should Your Host Prevent Hacks or Fix Your Hacked Site?

Web hosts are in the business of renting disk space, network access, and bandwidth, along with standard tools for managing the applications and features of that hosting environment. Typical web hosts do not provide personalized security and monitoring of their customer websites and software. Hosts monitor for resource abuse, usage abuse and significant events such as Dedicated Denial of Service (DDoS) and infrastructure attacks.

Hosts implement the necessary protections to ensure their servers are secure. But the way the World Wide Web works is that websites are in publicly accessible locations (otherwise nobody could get to them). This access is the same way that hackers compromise sites.

We're MODX Experts that Host MODX Sites

At MODX Cloud, we have a special relationship with MODX Revolution because we're also the team that created and publish it. While we have intimate knowledge with the software in the case customers need help, it is still the responsibility of our customers to keep their sites up to date and follow the tactics outlined above to keep their sites safe. Of course, if you need help with your site, we paid services to help out, including MODX software and Extras upgrades and Hacked site Remediation.

Beyond the Basic Protections

There is a growing number of vendors who have developed Web Application Firewalls (WAFs). These are services that sit between the public and your site that are designed to prevent attacks and malicious behaviours. While these aid in protecting a site, it's still critical to keep the site and it's software up to date with the latest releases.

Some of the organizations that provide WAFs include Sucuri and CloudFlare.

The Last Word On Security: Vigilance

Website security is an ongoing practice. It takes time, effort and sometimes the right person or organization to help make sure your website stays protected.


Have more questions? Submit a request


Please sign in to leave a comment.