Mediawiki/Hardening
From r00tedvw.com wiki
(Difference between revisions)
(Created page with "==Disable user self registration== Add the following to LocalSettings.php # Prevent new user registrations except by sysops $wgGroupPermissions['*']['createaccount'] = false;") |
(→remove database password from LocalSettings.php) |
||
| (2 intermediate revisions by one user not shown) | |||
| Line 3: | Line 3: | ||
# Prevent new user registrations except by sysops | # Prevent new user registrations except by sysops | ||
$wgGroupPermissions['*']['createaccount'] = false; | $wgGroupPermissions['*']['createaccount'] = false; | ||
| + | ==Uploads Dir security== | ||
| + | add to the bottom of your Virtual site config, before you close it: | ||
| + | <Directory /var/www/yoursite.com/wiki/images/> | ||
| + | # Ignore .htaccess files | ||
| + | AllowOverride None | ||
| + | # Serve HTML as plaintext, don't execute SHTML | ||
| + | AddType text/plain .html .htm .shtml .php | ||
| + | # Don't run arbitrary PHP code. | ||
| + | php_admin_flag engine off | ||
| + | # If you've other scripting languages, disable them too. | ||
| + | </Directory> | ||
| + | ==remove security variables from LocalSettings.php== | ||
| + | Its not a good idea to have the security variables within a file that lives in the document root. Should a problem happen, like php crashes, and php files can be downloaded or served in plain text, you've just had your security compromised.<br> | ||
| + | Start by creating a folder and file that lives outside of the document root and its children. For example, if your document root is <code>/var/www/</code> then you'll want to do something like this: | ||
| + | ~$ sudo mkdir /var/security/ | ||
| + | ~$ sudo chown www-data:www-data /var/security | ||
| + | ~$ sudo chmod 644 /var/security | ||
| + | ~$ sudo vi /var/security/secure.php | ||
| + | ~$ sudo chown www-data:www-data /var/security/secure.php | ||
| + | ~$ sudo chmod 644 /var/security/secure.php | ||
| + | Now with the files created, modify LocalSettings.php and add: | ||
| + | #including separate file that contains the database password so that it is not stored within the document root. | ||
| + | require_once "/var/security/secure.php"; | ||
| + | Finally, within the new file we've created outside of the document root, define your variables that Mediawiki still needs, such as: | ||
| + | <?php | ||
| + | #Mediawiki | ||
| + | #Database Settings | ||
| + | $wgDBpassword = | ||
| + | $wgDBserver = | ||
| + | $wgDBname = | ||
| + | $wgDBuser = | ||
| + | |||
| + | #Secretkey | ||
| + | $wgSecretKey = | ||
Latest revision as of 01:49, 12 October 2014
[edit] Disable user self registration
Add the following to LocalSettings.php
# Prevent new user registrations except by sysops $wgGroupPermissions['*']['createaccount'] = false;
[edit] Uploads Dir security
add to the bottom of your Virtual site config, before you close it:
<Directory /var/www/yoursite.com/wiki/images/>
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php
# Don't run arbitrary PHP code.
php_admin_flag engine off
# If you've other scripting languages, disable them too.
</Directory>
[edit] remove security variables from LocalSettings.php
Its not a good idea to have the security variables within a file that lives in the document root. Should a problem happen, like php crashes, and php files can be downloaded or served in plain text, you've just had your security compromised.
Start by creating a folder and file that lives outside of the document root and its children. For example, if your document root is /var/www/ then you'll want to do something like this:
~$ sudo mkdir /var/security/ ~$ sudo chown www-data:www-data /var/security ~$ sudo chmod 644 /var/security ~$ sudo vi /var/security/secure.php ~$ sudo chown www-data:www-data /var/security/secure.php ~$ sudo chmod 644 /var/security/secure.php
Now with the files created, modify LocalSettings.php and add:
#including separate file that contains the database password so that it is not stored within the document root. require_once "/var/security/secure.php";
Finally, within the new file we've created outside of the document root, define your variables that Mediawiki still needs, such as:
<?php #Mediawiki #Database Settings $wgDBpassword = $wgDBserver = $wgDBname = $wgDBuser = #Secretkey $wgSecretKey =
