Thread:Project:Support desk/Putting the wiki files on github/reply (5)

You're really not going to run in to any more security issues just because you publish the source code, since the source code is already online. (Security through obscurity generally fails. It extra fails if the world already has access to everything).

In regards to: "These issues might arise anytime, also after you removed them. And when not even MediaWiki displays you that these extenions are still there, but the public can see this in your repository, then this situation is more dangerous than when no one can see, that these iles are still there"

Well if you removed them properly (deleted the extension file from the servers), that's not really an issue. The code does not persist after you delete it from the server. If the extension code was not removed from the server, and just deactivated, then it is technically possible for the extension to have an entry point that is vulnerable. However occurrences of that type of vulnerability are very very rare since very few extensions have their own entry points (and they certainly should not).

- Some cautions though:
 * Do not put things in the cache sub-directory somewhere public.
 * Putting the contents of images/deleted (or wherever you have $wgDeletedDirectory pointing. For max security it really shouldn't be in web root) would also be a bad idea
 * If you're using SqlLite, putting the database file somewhere public is a bad idea (On a similar note, putting an unredacted dump of your db [of any type of db] would also be fairly stupid).
 * Putting your LocalSettings.php file (With your database password, $wgSecretKey and $wgUpgradeKey in it) is also a really bad plan.