Regarding MediaWiki version 1.15.1 or a little earlier.
The basics ∞
See LocalSettings.php for the basics:
- Turn off anonymous user creation.
- Require that users log in before they can edit.
- Use Google redirects for all links.
- Disabling uploads.
Back up regularly, so that if disaster strikes you could still roll back or modify the site offline with Bundled Server Software.
In my case, I allow anonymous user creation and editing, because I use Bad Behavior
Be wary of plaintext passwords ∞
What not to do:
LocalSettings.php~-- A backup of the LocalSettings.php file is automatically made by most editors.
LocalSettings.bak-- Some people make backups which are named like this.
Any file named like this is openly visible to people on the web! Use filenames like
LocalSettings--06-03-12.php instead. Always end copies of this file with .php
Better yet, make such files blocked from public access via .htaccess trickery.
Also, it's possible to configure the server in such a way as to have your configuration files located outside your docroot. This way if PHP crashes somehow you're protected.
Along the same lines, don't use the same password for any two things. Your FTP, control panel, database and admin account passwords should all be different!
protecting your image directory ∞
from the mailing list (source not noted):
$wgUploadPath = "/path/to/img_auth.php";
Keep your physical image directory hidden away somewhere.
Requires that PATH_INFO work on the server (eg, if using PHP as CGI you
may have to configure it appropriately. Try a google search for whatever
necessary documentation for your combination of web server and PHP.)
(Note that img_auth.php is a little funky; $wgWhitelistRead needs to be
set, I think.)
A quick 'Deny' in
an .htaccess and Alias in httpd.conf, and I have the directory protected
without breaking any of my users' bookmarks!
Resources / Notes ∞
Allows MediaWiki to authenticate against bbPress's user database:
- in-wiki items: