User:Southparkfan/MW Security
This page describes how to make your MediaWiki installation more secure. Be aware that this is not an official manual, and that I am not responsible for any broken MediaWiki installations, costs for doing these steps, angry people or whatever. Mostly copied from https://www.mediawiki.org/w/index.php?title=Manual:Security&action=history.
PHP settings[edit]
You can disable these settings via the php.ini file, see this where you can find the php.ini file. On shared hosting it's likely you can't change the php.ini file; contact their support team for help. Also it's possible that you need to restart the webserver (apache, nginx, IIS, etc) using apachectl reload
/rcapache2 reload
(apache) or service nginx restart
//etc/init.d/nginx restart
(nginx).
- Disable register_globals (DEPRECATED as of PHP 5.3 and REMOVED in PHP 5.4)
- Example: if you see
register_globals = On
it means register_globals is enabled. Change the line intoregister_globals = Off
.
- Example: if you see
- Disable allow_url_fopen;
- Disable session.use_trans_sid
Webserver settings[edit]
Prevent execution of files with specific file extensions[edit]
Almost nothing is more worse than the upload of a PHP file with malicious content. While MediaWiki offers many options to prevent this, there can be security flaws in MediaWiki making the upload of these files possible. In the case that happens, it's important to prevent execution of these files.
Apache[edit]
Put the following content in your Apache settings file:
<Directory /path/to/mediawiki/images> # Ignore .htaccess files AllowOverride None # Serve HTML as plaintext, don't execute SHTML AddType text/plain .html .htm .shtml .php # Don't run arbitrary PHP code. php_admin_flag engine off # If you've other scripting languages, disable them too. </Directory>
OR
Put the following in the .htaccess file in your MediaWiki's /images folder:
AddType text/plain .html .htm .shtml .php php_admin_flag engine off