MediaWiki/Guide/Security
A Guide for Securing MediaWiki in a hosted environment
This article is part of a series compiled as a guide to encourage and assist those building a MediaWiki-based website in a hosted environment.
Each article links to relevant documentation from the MediaWiki.org website and the Wikimedia.org website. Where the official documentation does not adequately cover the issues for a hosted site, or is too 'advanced', additional information, explanation and advice is provided.
Security Manual
The Manual:Security may seem rather technical but it is a good starting point. All you need to do is break it down into achievable steps and implement them one at a time. The following sections are a guide. Some items in the Manual may not be possible in a hosted environment if access to the web server configuration is required.
Manuals and Links
Prevent Access
The Manual:Preventing access explains how to restrict viewing; restrict editing; and restrict account creation.
It is important to prevent anonymous users from registering.
The manual also shows how to restrict editing of entire namespaces.
The Manual:Using MediaWiki as a content management system also has examples of stricter than normal settings including how to configure Group Permissions.
Secure Database Passwords
The database passwords are in the LocalSettings.php file. Apparently there is a possibility that the LocalSettings.php file can be accessed externally so to keep this information secret it should be removed from the LocalSettings.php file. Of course, there has to be a link to it or MediaWiki won't be able to load the data.
The Manual:Securing database passwords suggests a method to implement this security step.
You should be able to create an empty file through your web hosting interface. It will need a .php extension, and to be recognised as a php file the first line must be
<?php
If you are working through this concept consider separating all other customisations and sensitive data from the LocalSettings.php file and linking them to a custom settings file of your own. This has an advantage when upgrading and also from a maintenance perspective - it is easier to identify what you have configured and what was default.
Configure File Uploads
Uploaded files could contain malicious code.
The Manual:Configuring file uploads covers a range of issues and configuration settings to control or limit risk.
Spam and Vandalism
Any website can be targeted by spammers but a MediaWiki site which permits anonymous users to register will soon be over-run by spam. Even if users must register there is potential for contributors to cause vandalism or enable spam.
The two Manuals provide Systems Administrators with strategies for preventing or dealing with spam and vandalism.
There is also an Extension called Nuke which is a useful tool to mass delete pages created by a user or identified by an IP address. Permissions to access or use Nuke can be configured in LocalSettings.php.
Advanced
MediaWiki.org also has a Manual:MediaWiki Security Guide which is a portal to pages on security topics, particularly for developers.
Another resource for those deeply involved with security is a Manual:List of MediaWiki configuration settings containing sensitive data
These settings should not be in LocalSettings.php and if used at all should be moved, as described in the Manual:Securing database passwords.
Disclaimer
The information or advice provided in this Guide is based on, or links to, official documentation for MediaWiki and was accurate when this article was created. However, some variation may occur between versions of MediaWiki; and the specifics of web hosting varies by service provider. Consequently, you should always create an effective backup before making any changes; ensure that you can restore your database and website; read the Release Notes before upgrading; and apply best practices to the management of your website. Any action that you take based on information provided here is at your own risk and the author accepts no liability for any loss or damage.