Mediawiki/Hardening

Latest revision as of 01:49, 12 October 2014

[edit] Disable user self registration

Add the following to LocalSettings.php

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;

[edit] Uploads Dir security

add to the bottom of your Virtual site config, before you close it:

<Directory /var/www/yoursite.com/wiki/images/>
              # Ignore .htaccess files
              AllowOverride None
              # Serve HTML as plaintext, don't execute SHTML
              AddType text/plain .html .htm .shtml .php
              # Don't run arbitrary PHP code.
              php_admin_flag engine off
               # If you've other scripting languages, disable them too.
</Directory>

[edit] remove security variables from LocalSettings.php

Its not a good idea to have the security variables within a file that lives in the document root. Should a problem happen, like php crashes, and php files can be downloaded or served in plain text, you've just had your security compromised.
Start by creating a folder and file that lives outside of the document root and its children. For example, if your document root is /var/www/ then you'll want to do something like this:

~$ sudo mkdir /var/security/
~$ sudo chown www-data:www-data /var/security
~$ sudo chmod 644 /var/security
~$ sudo vi /var/security/secure.php
~$ sudo chown www-data:www-data /var/security/secure.php
~$ sudo chmod 644 /var/security/secure.php

Now with the files created, modify LocalSettings.php and add:

#including separate file that contains the database password so that it is not stored within the document root.
require_once "/var/security/secure.php";

Finally, within the new file we've created outside of the document root, define your variables that Mediawiki still needs, such as:

<?php
#Mediawiki
#Database Settings
$wgDBpassword =
$wgDBserver =
$wgDBname =
$wgDBuser =

#Secretkey
$wgSecretKey =