MediaWiki Howto

From Cactus Howto
Jump to navigationJump to search

Securing MediaWiki

Always Check Recent changes

Requiring Login for editing

The following changes need to be made in LocalSettings.php:

$wgEnableEmail      = true;                                     # to allow sending of email notification
$wgGroupPermissions['*']['edit'] = false;                       # per default no one can edit
$wgGroupPermissions['user']['edit']           = false;          # not even registered users
$wgAutopromote['emailconfirmed'] = APCOND_EMAILCONFIRMED;       # preparing to allow only registered and 
                                                                # email confirmed users edit rights
$wgImplicitGroups[] = 'emailconfirmed';                         # Hide group from user list.
$wgGroupPermissions['emailconfirmed']['edit'] = true;           # Finally, set it to true for the desired group.

Use User Blocking

Note: you need SysOp rights for this: http://wiki-ip/index.php?SepcialPage:BlockIP

Preventing access to Special Pages


howto:/usr/share/mediawiki# grep act LocalSettings.php
$wgGroupPermissions['Cactus']['read'] = true;
$wgGroupPermissions['Cactus']['Cactus'] = true;
howto:/usr/share/mediawiki/includes# grep Cactus SpecialPage.php 
'Listgrouprights'           => array( 'SpecialPage', 'SpecialListGroupRights', 'Cactus'),
'Listusers'                 => array( 'SpecialPage', 'Listusers', 'Cactus' ),	
'Listfiles'                 => array( 'SpecialPage', 'Listfiles', 'Cactus' ),
'Allmessages'               => array( 'SpecialPage', 'Allmessages', 'Cactus' ),
'Version'                   => array( 'SpecialPage', 'Version', 'Cactus'),

Adding Captcha for new user creation using Extension ConfirmEdit

NB: standard captcha (math) is not sufficient!

Install Extension confirmedit:

aptitude install mediawiki-extensions-confirmedit
howto:/usr/share/mediawiki# dpkg -l | grep confirmedit
ii  mediawiki-extensions-confirmedit   2.3squeeze1                  Extensions for MediaWiki -- ConfirmEdit extension

Add to end of LocalSettings.php:

require_once( "$IP/extensions/ConfirmEdit/ConfirmEdit.php" );
require_once( "$IP/extensions/ConfirmEdit/FancyCaptcha.php" );
$wgCaptchaClass = 'FancyCaptcha';
$wgCaptchaDirectory = '/usr/share/mediawiki-extensions/confirmedit/captchas';
$wgCaptchaSecret = 'XXX';

Create dir for captchas:

mkdir /usr/share/mediawiki-extensions/confirmedit/captchas

Create captchas:

python ./ --font=/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf --wordlist=/usr/share/dict/ngerman --key XXX --output=/usr/share/mediawiki-extensions/confirmedit/captchas --count=100

Finally delete users in wikidb that have been added by bots (assuming that users with id 0,1,2,40 and 1577 are real):

delete from revision where not rev_user=0 and not rev_user=1 and not rev_user=2 and not rev_user=40 and not rev_user=1577;
delete from mwuser where not user_id=1 and not user_id=0 and not user_id=2 and not user_id=40 and not user_id=1577;

Even with this graphical capture 86 users were created by bots during 120 days.

  • copy logo (135x135 pixel) into /var/lib/mediawiki/images
  • Edit LocalSettings.php
  • Note: When using relative pathname for the logo, start with a slash (/). Do not think about it ;-).
  • Example config:
howto:/xxx/mediawiki# grep Logo LocalSettings.php 
 $wgLogo             = "/images/cactus-logo.jpg";