Secure Your Wiki
From Wiki
Contents |
Back to Main Page
Why do I need security?
One of the main goals of wikis is to have an open environment for sharing, collaborating, and validating information. With this type of openness, there are many risks and potential associated disasters. In a completely open environment, you take the risk of wiki vandalism which may only harm a small portion of your wiki or completely take over - both extremes have been observed. There is also such thing as automated spam which can attach even more quickly because computers can create much more junk than a human in the same amount of time. There at least three options to consider when deciding how to avoid wiki vandalism.
- Do nothing. There is a chance your wiki will be fine and not suffer from any spam. This is probably less true for larger wikis with more attention.
- Protect your wiki from computer generated spam. Using a system like CAPTCHA (see below)should work well to ensure all users on your site are humans and assuming your users are friendly and non destructive, this option would probably be best.
- If you prefer to manage who has permission to edit on your site, I recommend installing an extension (see below)that requires a user have permission from the administrator to edit. This system utilizes usernames and passwords and users must request a login from you in order to edit. You, as the administrator, will have control over users' access to your account and what different types of users (you can assign varying levels of user status) have permission to do on your site. (see below)
Summary of Security Options
- Require account registration
- If you're looking for the greatest control over various types of users and the permissions they obtain from requesting an account, this option is the best. You can assign the level of user (higher level=more privileges on your site) for each person who requests an account and for each level you assign the permission they will have. Permissions range from everyone being able to edit and contribute to your site to no one but you being allowed to make changes.
- Confirm Edit/CAPTCHA/reCAPTCHA
- If you're most concerned with computerized (automated) spam, it is best to use CAPTCHA which requires a response from the user that a computer can not reply to on its own. This is also a good option if you want users to be able to create their own accounts or allow non account holders the ability to add to your site without the threat of automated spam. There are two versions of CAPTCHA available for MediaWiki: CAPTCHA and reCAPTCHA. CAPTCHA is a simplified version and uses simple math problems to test if the user is human. reCAPTCHA is a little more advanced and uses the scrambled words and users must decipher the text.
- Perhaps the best is a combination of both!
Require Account Registration
By default, visitors are able to edit wikis. By turning this feature off (as shown above in Security Settings for anonymous users) only confirmed users may log in to edit. Below are instructions for installing the extension that allows user to request an account and here is a link with more details.
- download and extract the latest snapshot
- upload the "ConfirmAccount" folder to /extensions/ using FTP (see File Transfers in Siteground below)
- edit the ConfirmAccount.sql file when using an SQL database
- there are two locations where /*$wgDBprefix*/ appears. Replace with your actual database prefix (for this site there was no prefix so just erase)
- run the SQL query
- to run via SiteGround (for terminal, see below), open phpMyAdmin in cPanel
- go to your database (see more on SQL Databases)
- select the SQL tab
- cut and paste the ConfirmAccount.sql text into the "Run SQL query/queries on database" whitespace
- select "go"
running SQL query in Terminal
- run the SQL query via the command terminal
$ mysql -u [username] -p[password] [database] < /script_path/script.sql;
- add the line below to LocalSettings.php
require_once("$IP/extensions/ConfirmAccount/SpecialConfirmAccount.php");
In LocalSettings.php, add the following code and reassign the true/false options for your preferences:
Under these conditions, when users request an account, their request will show up under Special Pages, users and rights, confirm account requests. (must be logged in and of bureaucrat status to view)
User Rights Management
See this link to learn more about managing user rights.
Requiring Human Verification to Edit (CAPTCHA & reCAPTCHA)
The Confirm Edit Extension is an application that requests the user solve a simple math problem when making changes to your site or when creating an account. This provides a level of security to protect your site from automated spam. The more common application (CAPTCHA & reCAPTCHA) is one that uses distorted letter/number combinations for the user to decipher and repeat back.
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) helps protect a site against spam generated automatically by computers. This verification requires a user response and is currently unrecognizable for decipher by computers. THIS DOES NOT PROTECT AGAINST HUMAN SPAM!! Users are prompted at account creation to prove their human identity by answering a simple math problem. Anyone is able to edit on your site without a log in if they correctly answer the CAPTCHA prompt. A combination of account creation CAPTCHA and user permission management may be the best option for some.
reCAPTCHA is an advanced version of CAPTCHA used in the Confirm Edit extension (above). There are possible "triggers" that may be applied to require CAPTCHA for every action or only a select few.
Since Confirm Edit, CAPTCHA, and reCAPTCHA basically provide the same level of security, select which options provides the best user interface for your site.
| CAPTCHA positives | CAPTCHA negatives |
| protects against computer spam | does not protect against human spam |
| for sites with many users, this provides the least work for administrators in managing computer spam | provides more work for users to edit and may deter positive site contribution |
| multiple level of settings | for highest CAPTCHA security, must implement for almost all actions (edit, make new page, create account...) which may annoy users |
Confirm Edit Installation
- Download the latest version: http://www.mediawiki.org/wiki/Special:ExtensionDistributor/ConfirmEdit
- Upload the files to /extensions/ConfirmEdit
- Add the following line to LocalSettings.php
require_once( "$IP/extensions/ConfirmEdit/ConfirmEdit.php" );
Confirm Edit Configuration
- Use these settings to assign the type of user that must be checked using reCAPTCHA.
$wgGroupPermissions['*' ]['skipcaptcha'] = false; $wgGroupPermissions['user' ]['skipcaptcha'] = false; $wgGroupPermissions['autoconfirmed']['skipcaptcha'] = false; $wgGroupPermissions['bot' ]['skipcaptcha'] = true; // registered bots $wgGroupPermissions['sysop' ]['skipcaptcha'] = true;
- Use these settings to determine what type of action requires the check.
$wgCaptchaTriggers['edit'] = false; $wgCaptchaTriggers['create'] = false; $wgCaptchaTriggers['addurl'] = true; $wgCaptchaTriggers['createaccount'] = true; $wgCaptchaTriggers['badlogin'] = true;
reCAPTCHA Installation
- Follow this link for instructions on installing reCAPTCHA.
reCAPTCHA Configuration
- Use these settings to assign when reCAPTCHA should be used.
$wgCaptchaTriggers['edit'] = true; //Would check on every edit $wgCaptchaTriggers['create'] = true; //Check on page creation. $wgCaptchaTriggers['addurl'] = true; //Check on edits that add URLs $wgCaptchaTriggers['createaccount'] = true; //Check on account creation. $wgCaptchaTriggers['badlogin'] = true; //Check after a failed log-in attempt.
Preventative Measures
Whether your wiki is compromised from spam or accidentally deleted, it is important to always save a backup copy occasionally for these potentially devastating occurrences. Learn how to back up your wiki so that it is never infinitely destroyed.
Back to Main Page
