Topic on Project:Support desk

Hi. I have created a test wiki at wiki.rehman.website to demo how companies can use private wikis. But I'm sort of clueless on how to block public access to the files/folders (including mediawiki-uploaded images) on the server. For example, https://wiki.rehman.website/docs/ and https://wiki.rehman.website/images/ (and all other folders) are currently publicly accessible. After much looking up, the furthest I've got is adding a .htaccess file with "Deny from All". But that just blocks the whole site altogether.

I've read Manual:Image authorization but I find that lacking clear steps on how to go about with this from scratch. Can anyone assist please? Or point me to a page with clearer steps?

I want to block all direct public access to files and folders. Many thanks in advance.

This seems to be about restricting access to some folders on your webserver.

This needs to be fixed by changing the settings in your webserver software, not in the MediaWiki software.

The usual approach (with apache) is to not have mediawiki in the web directory, have alias directives for any php entry points, use img_auth.php for images, and have a php script that only serves static files out of extension directory (that isnt needed as much for modern mediawiki, more for compat with lld extensions).

Wikipedia essentially does this (in order to be a bit extra paranoid)

Thank you for the replies, Malyacko and Bawolff. After looking a bit deeper, I've noticed the "Indexes" and "Hotlink protection" settings in cpanel (I use namecheap for this test site).

In the "Indexes" settings I had to select the main folder and choose the "no index" option (as opposed to the already selected default option). This immediately blocked all direct access to the site's folders, solving 50% of my problem (50% because the folders are now invisible, but already-obtained direct links to files still works).

The "Hotlink protection" setting allowed me to block all direct access to files. Based on my requirements, I had blocked png,gif,jpg,jpeg,webp,pdf,ppt,pptx,doc,docx,xls,xlsx,oft. It is interesting to note that for files such as JPG, the direct link (https://wiki.rehman.website/index.php/File:Testfile.jpg) does not work when accessing directly from the address bar, but works when you click the file link via an internal MediaWiki link. Obviously this is just one level of protection, and img_auth.php and others should also be followed.

Hope these helps for other readers.

One thing I still need help with though, is how to block direct links such as https://wiki.rehman.website/load.php. Or, should they be blocked? If I add php to the hotlink protection settings, the site would not work.

hotlink protection generally works by looking at referer headers. Which is why it blocks direct address bar access but not internal links.

In terms of blocking load.php - i guess i would ask what you are trying to accomllish by blocking hotlinks. Normally there wouldnt be much benefit to blocking hot links to it.

If you are using apache as your webserver, creating a file named .htaccess containing Deny From All will usually block access to files in that directory.

Thanks for the reply. Load.php is just an example php file in that main directory. I guess my question should have been a bit clearer - the wiki will be a private wiki with sensitive information. Should I worry if files like these are publicly accessible via direct link?

you shouldn't rely on hotlink protection for any real security. It is very easy to bypass. Its designed to stop your bandwidth from being wasted (from linking at popular website), not to prevent access.

I would just ensure that img_auth.php is setup, make your image directory somewhere that isnt web accessible (so peolle cant direct view images), and ensure mediawiki groups are setup correctly to restrict reading.

(This is the basic advice that works for an average person, and balances ease of setup with reasonable amount of security. If the data is super sensitive, where lives/millions of dollars/etc is on the line, hire an information security consultant)

Thanks. I've setup img_auth.php (and added the .htaccess in the /images) folder, and also disabled index browsing on the main folder. Just one more question though (and pardon me if it's a silly one). Since all other folders don't have htaccess setup (like /images), they are publicly accessible if a direct link is available. Do any of the other MediaWiki files/folders have anything sensitive/unprotected, or can they be left as it is? Adding the same .htaccess setting like /images block MediaWiki from working.