Blog Sections Open
MODxSecure: Hiding the Evolution Manager Login Behind a Secret Parameter
MODxSecure used a lightweight trick: only show the manager login form when a secret query parameter is present.
One low-cost way to reduce brute-force noise against the Evolution CMS manager is to hide the login form unless the request includes a secret query parameter. That is exactly what MODxSecure tried to do.
The idea was inspired by similar admin-hardening tools in other CMSs. Instead of replacing the whole authentication flow, it added a lightweight gate on OnManagerLoginFormPrerender. If the expected keyword was missing, the visitor was redirected away from the login screen.
The core logic looked like this:
if (!isset($keyword) || empty($keyword)) return;
if (!isset($redirect) || empty($redirect)) $redirect='/';
$e = &$modx->Event;
if ($e->name == 'OnManagerLoginFormPrerender' && !isset($_GET[$keyword])) {
$this->sendRedirect($redirect);
}That is not a substitute for strong passwords, HTTPS, or proper update hygiene, but it does reduce exposure. In practice it works like a very small obscurity layer in front of the manager login: not perfect security, but useful friction against random scans and repeated bot traffic.
As an ecosystem artifact, this kind of plugin still matters because it captures a real period in Evolution CMS operations: teams were trying to make legacy admin surfaces safer without rewriting the whole stack.
Source: original community announcement.
Moving Evolution CMS Elements into Files for IDE-Based Editing
Why teams moved templates and other elements into files, and what breaks if include-based workflows are set up carelessly.
templatesEdit2: A Safer Successor to templatesEdit for Evolution CMS
Why templatesEdit2 appeared, what it improved over templatesEdit, and why it mattered for real Evolution CMS workflows.