Manual:Combating vandalism


 * Is your site being vandalized? Please leave a message on the talk page or the forum, or the mediawiki-l email list to get advice.

When you install a  fresh copy of MediaWiki, it is susceptible to different kinds of intentional vandalism. Due to the nature of a wiki website, no matter how many protections are present, vandalism will always be present to a certain extent. This page will describe how to limit it. Note that Wikipedia is much larger than other websites that install MediaWiki; it has many more edits than the average wiki, but also more users to monitor vandalism. This changes the dynamics of vandalism for small wiki websites.

Types of attacks

 * Bot flood attacks: A vandal may attempt to run a bot that can edit/move and create pages at a high speed.
 * Bad user names: user names can be renamed using the Rename User extension. Always rename a user first and then do other actions (block and reverts). This will keep the logs and recent changes as clean as possible.
 * Removal of content (partial or complete)
 * Template vandalism: a vandal may edit commonly used templates to affect a large number of pages. To deal with this, protect the most commonly used templates which can be seen from Special page: Special:MostLinkedTemplates (for example on this wiki)

Preventative

 * Extension:AbuseFilter: An extension that monitors behaviours on the wiki and is very customizable. Different kinds of rules can be created. To see examples of filters and the work they do, see Wikipedia's filter rules. Filters can also be configured not to be visible to the public.
 * Extension:ConfirmEdit: Although Captchas are more helpful for spam, they're also helpful somewhat in dealing with vandalism in that the vandal may have to fill captchas for creating accounts, adding external links and so on, although this will also inconvenience the genuine user, so captchas should be used and configured thoughtfully.
 * Extension:Bad Behavior: A light weight alternative for AbuseFilter, which has more features
 * Extension:Title Blacklist: This helps against bad titles of pages and bad user names
 * Extension:AntiBot: May be useful in dealing with bot vandalism
 * Manual:$wgNamespaceProtection: Protect templates so only auto-confirmed users or sysops can edit templates

To temporarily disable account creation and anonymous editing, put this in LocalSettings.php: See Manual:Preventing access for other ways to prevent access.
 * Lockdown

Notification

 * Extension:Recent Activity Notify - sends an email to selected users on the wiki if there's any edits or moves from new users.

Edit approval

 * Extension:FlaggedRevs: approve changes to the stable version of a page

Cleaning up

 * Extension:Nuke - sysops can mass delete page created by a certain user or IP
 * Extension:Renameuser - so you can rename bad user names
 * Enable Rollback permissions by adding the following to your LocalSettings.php and give the rollback right in User Rights Management to trusted users, so they can revert vandalism easier when it happens:

Extensions bolded above are easy and quick to install and will help you a lot so definitely install those.
 * Extension:Recent Changes Cleanup - Enables administrators to keep their Recent Changes page free of vandalism related entries.
 * RevisionDelete: With this feature it is possible to hide certain parts of a revision.

Tips and Points to remember

 * One-time vandalism (or spam) from an IP address may deserve only a temporary block (1 month or a 1 week etc.) unless there is recurrent vandalism/spam from an IP address that is static.
 * Configure your protection systems such that they should not significantly inconvenience the average user.

Administration related shortcuts
Keep a page for administrators on the wiki related to quick links for dealing with vandalism. Click "Edit" for this section and copy the code below:
 * User related
 * User rename: Special:RenameUser (requires Extension:Renameuser)
 * New users log: Special:Log/newusers
 * User list: Special:ListUsers
 * Block related
 * Block IP: Special:Block
 * IP block ranges (perform block ranges carefully and in most cases only temporarily such as 24 hours, 3 days, 2 weeks, 3 months and so on depending on the situation):
 * Table of sample ranges
 * Most commonly used (sample blocks):
 * 69.208.0.0/16 (for blocking 69.208.x.x)
 * 69.208.52.0/24 (for blocking 69.208.52.x)
 * Block log: Special:Log/block
 * Unblocking and list of current blocks: Special:BlockList
 * Other shortcuts
 * MediaWiki:Titleblacklist - for editng list of bad titles (requires Extension:Title Blacklist)
 * Hide Revisions: For hiding bad usernames still left in logs or bad edit comments etc
 * Special:RecentChangesCleanup - clean up recent changes from vandalism (requires Extension:Recent Changes Cleanup) (always the last step)

Typical steps for dealing with vandalism

 * 1) Rename user if bad username
 * 2) Block username indefinitely (or whatever you think is appropriate)
 * 3) * Or if its an IP, block the IP temporarily (indefinite IP blocks are not recommended in most cases)
 * 4) Revert edits made by that user by checking the contribs. Note if you have renamed the user, the new username will have the contribs, not the original username.
 * 5) In the case of pages created by vandalism or redirects, delete those pages and redirects.
 * 6) Hide revisions if needed. This is helpful in hiding the edit comments or bad usernames for an edit so the page logs will remain clean
 * 7) Clean up recent changes and get rid of all the junk