MediaWiki > MediaWiki tricks and tips > Security >

Regarding MediaWiki version 1.15.1 or a little earlier.

See also:

• Apache

  • httpd.conf/.htaccess customization.
  • mod_rewrite also has some security-related stuff.

• Computer security

---

• MediaWiki group permissions by namespace

The basics ∞

See LocalSettings.php for the basics:

• Turn off anonymous user creation.
• Require that users log in before they can edit.
• Use Google redirects for all links.
• Disabling uploads.

• Back up regularly, so that if disaster strikes you could still roll back or modify the site offline with Bundled server software.

In my case, I allow anonymous user creation and editing, because I use Bad Behavior

• https://meta.wikimedia.org/wiki/Security_Checklist

Be wary of plaintext passwords ∞

Your administrator password is openly visible inside the LocalSettings.php and AdminSettings.php files. Make absolutely sure that you don’t have any renamed copies of these files laying around.

What not to do:

• LocalSettings.php~ — A backup of the LocalSettings.php file is automatically made by most editors.

• LocalSettings.bak — Some people make backups which are named like this.

Any file named like this is openly visible to people on the web! Use filenames like LocalSettings.bak.php or LocalSettings--06-03-12.php instead. Always end copies of this file with .php

Better yet, make such files blocked from public access via .htaccess trickery.

Also, it’s possible to configure the server in such a way as to have your configuration files located outside your docroot. This way if PHP crashes somehow you’re protected.

Along the same lines, don’t use the same password for any two things. Your FTP, control panel, database and admin account passwords should all be different!

protecting your image directory ∞

from the mailing list (source not noted):

$wgUploadPath = “/path/to/img_auth.php”;

Keep your physical image directory hidden away somewhere.

Requires that PATH_INFO work on the server (eg, if using PHP as CGI you
may have to configure it appropriately. Try a google search for whatever
necessary documentation for your combination of web server and PHP.)

(Note that img_auth.php is a little funky; $wgWhitelistRead needs to be
set, I think.)

—

A quick ‘Deny’ in
an .htaccess and Alias in httpd.conf, and I have the directory protected
without breaking any of my users’ bookmarks!

Resources / Notes ∞

• https://meta.wikimedia.org/wiki/Documentation:Security

• http://meatballwiki.org/wiki/SoftSecurity

  • (on meta.wikimedia.org)

• Allows MediaWiki to authenticate against bbPress’s user database:

  • http://web.archive.org/web/20060504191303/http://comox.textdrive.com/pipermail/bbdev/2005-July/000188.html
  • https://codex.wordpress.org/User:RobLa/AuthPress_for_MediaWiki

• mail obfuscator

in-wiki items:

• Special:UserRights