User:Southparkfan/MW Security

This page describes how to make your MediaWiki installation more secure. Be aware that this is not an official manual, and that I am not responsible for any broken MediaWiki installations, costs for doing these steps, angry people or whatever. Mostly copied from https://www.mediawiki.org/w/index.php?title=Manual:Security&action=history.

PHP settings
You can disable these settings via the php.ini file, see this where you can find the php.ini file. On shared hosting it's likely you can't change the php.ini file; contact their support team for help. Also it's possible that you need to restart the webserver (apache, nginx, IIS, etc) using /  (apache) or  /  (nginx).
 * 1) Disable register_globals (DEPRECATED as of PHP 5.3 and REMOVED in PHP 5.4)
 * 2) * Example: if you see  it means register_globals is enabled. Change the line into.
 * 3) Disable allow_url_fopen;
 * 4) Disable session.use_trans_sid

Prevent execution of files with specific file extensions
Almost nothing is more worse than the upload of a PHP file with malicious content. While MediaWiki offers many options to prevent this, there can be security flaws in MediaWiki making the upload of these files possible. In the case that happens, it's important to prevent execution of these files.

Apache
Put the following content in your Apache settings file:  AllowOverride None AddType text/plain .html .htm .shtml .php php_admin_flag engine off  OR
 * 1) Ignore .htaccess files
 * 1) Serve HTML as plaintext, don't execute SHTML
 * 1) Don't run arbitrary PHP code.
 * 1) If you've other scripting languages, disable them too.

Put the following in the .htaccess file in your MediaWiki's /images folder: AddType text/plain .html .htm .shtml .php php_admin_flag engine off