User:Southparkfan/MW Security

From mediawiki.org

This page describes how to make your MediaWiki installation more secure. Be aware that this is not an official manual, and that I am not responsible for any broken MediaWiki installations, costs for doing these steps, angry people or whatever. Mostly copied from https://www.mediawiki.org/w/index.php?title=Manual:Security&action=history.

PHP settings[edit]

You can disable these settings via the php.ini file, see this where you can find the php.ini file. On shared hosting it's likely you can't change the php.ini file; contact their support team for help. Also it's possible that you need to restart the webserver (apache, nginx, IIS, etc) using apachectl reload/rcapache2 reload (apache) or service nginx restart//etc/init.d/nginx restart (nginx).

  1. Disable register_globals (DEPRECATED as of PHP 5.3 and REMOVED in PHP 5.4)
    • Example: if you see register_globals = On it means register_globals is enabled. Change the line into register_globals = Off.
  2. Disable allow_url_fopen;
  3. Disable session.use_trans_sid

Webserver settings[edit]

Prevent execution of files with specific file extensions[edit]

Warning Warning: This method only covers a few file extensions. There can be more file extensions allowing execution of malicious content!

Almost nothing is more worse than the upload of a PHP file with malicious content. While MediaWiki offers many options to prevent this, there can be security flaws in MediaWiki making the upload of these files possible. In the case that happens, it's important to prevent execution of these files.

Apache[edit]

Warning Warning: Limit write access to these files! See also the chmod/chown settings section.

Put the following content in your Apache settings file: 

<Directory /path/to/mediawiki/images>
# Ignore .htaccess files
AllowOverride None
 
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php
 
# Don't run arbitrary PHP code.
php_admin_flag engine off
 
# If you've other scripting languages, disable them too.
</Directory>

OR
Put the following in the .htaccess file in your MediaWiki's /images folder: 

AddType text/plain .html .htm .shtml .php
php_admin_flag engine off

chmod/chown settings[edit]

Other stuff[edit]

Retrieved from "https://www.mediawiki.org/w/index.php?title=User:Southparkfan/MW_Security&oldid=1086717"