Security Best Practice: Difference between revisions

1. Security Best Practices for MediaWiki

This article provides a comprehensive overview of security best practices for administrators and users of MediaWiki installations. It's aimed at beginners but covers a wide range of topics, from basic configuration to ongoing maintenance. Ignoring these practices can leave your wiki vulnerable to attacks, data loss, and defacement. This guide assumes you're using MediaWiki version 1.40 or later, although many principles apply to older versions as well.

Understanding the Threat Landscape

Before diving into specific solutions, it's crucial to understand the types of threats your MediaWiki installation might face. These include:

• **Cross-Site Scripting (XSS):** Attackers inject malicious scripts into wiki pages that are then executed by other users' browsers. This can lead to session hijacking, defacement, or redirection to malicious websites.
• **SQL Injection:** Attackers manipulate database queries to gain unauthorized access to data, modify content, or even execute arbitrary commands on the server.
• **Cross-Site Request Forgery (CSRF):** Attackers trick authenticated users into performing actions they didn't intend to, such as changing their passwords or publishing malicious content.
• **Brute-Force Attacks:** Attackers attempt to guess usernames and passwords through repeated login attempts.
• **File Upload Vulnerabilities:** If file uploads are enabled, attackers may upload malicious files (e.g., PHP scripts) that can compromise the server.
• **Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks:** Attackers flood the server with traffic, making it unavailable to legitimate users. While MediaWiki itself can't fully prevent these, proper server configuration and potentially a Content Delivery Network (CDN) can mitigate their impact.
• **Malware Infections:** Compromised extensions or themes can introduce malware into your wiki.
• **Privilege Escalation:** Attackers exploit vulnerabilities to gain higher-level access than they should have.
• **Information Disclosure:** Sensitive information, such as database credentials or internal server paths, may be unintentionally exposed. See Manual:Configuration settings for configuration advice.

Core Security Configuration

The initial configuration of your MediaWiki installation is critical.

• **Secure Server Environment:** Your web server (e.g., Apache, Nginx) and operating system must be securely configured. This includes keeping them up-to-date with the latest security patches, using strong passwords, and limiting access to administrative privileges. Refer to your server's documentation for specific security hardening guidelines.
• **HTTPS:** *Always* use HTTPS to encrypt communication between users' browsers and your wiki server. This protects sensitive data, such as login credentials, from eavesdropping. Obtain an SSL/TLS certificate from a trusted Certificate Authority (CA). Let's Encrypt ([1](https://letsencrypt.org/)) provides free SSL/TLS certificates. Configure your web server to redirect all HTTP traffic to HTTPS.
• **`$wgSecretKey`:** This setting in `LocalSettings.php` is *extremely* important. It's used to generate cryptographic signatures for various security features, such as session cookies and CSRF protection. Use a long, random string for this value. Do *not* share it publicly.
• **`$wgSessionSecret`:** Similar to `$wgSecretKey`, this setting should also be a long, random string. It protects session cookies from being hijacked.
• **Database Security:**

   *   Use a strong password for the database user that MediaWiki uses.
   *   Grant the database user only the necessary privileges.  Avoid granting `SUPER` or `ALL PRIVILEGES`.
   *   Restrict database access to the MediaWiki server.  Don't allow remote connections from untrusted networks.

• **`$wgUploadDirectory` Permissions:** If file uploads are enabled, ensure that the `$wgUploadDirectory` has appropriate permissions. The web server user should have write access, but other users should not. This prevents attackers from uploading malicious files.
• **Disable Directory Listing:** Prevent the web server from displaying directory listings. This can reveal sensitive information about your wiki's file structure.
• **Error Reporting:** Disable detailed error reporting in production environments. Detailed error messages can reveal sensitive information to attackers.

User Account Security

• **Strong Passwords:** Enforce strong password policies. Require users to choose passwords that are at least 12 characters long and contain a mix of uppercase and lowercase letters, numbers, and symbols. Consider using an extension like Extension:PasswordStrength to help users create strong passwords.
• **Account Creation:**

   *   Consider requiring email verification for new accounts.  This helps prevent the creation of fake accounts.
   *   Implement a CAPTCHA system to prevent automated account creation by bots.  reCAPTCHA ([2](https://www.google.com/recaptcha/)) is a popular option.
   *   Moderate new account registrations.

• **Two-Factor Authentication (2FA):** Enable 2FA for all users, especially administrators. 2FA adds an extra layer of security by requiring users to provide a second form of authentication, such as a code from a mobile app, in addition to their password. Extension:TwoFactorAuth provides 2FA functionality.
• **Account Lockout:** Implement account lockout policies. After a certain number of failed login attempts, temporarily lock the account to prevent brute-force attacks.
• **Regular Account Audits:** Periodically review user accounts and remove inactive or suspicious accounts.
• **User Rights Management:** Carefully manage user rights. Grant users only the privileges they need to perform their tasks. Avoid giving unnecessary administrative rights. See Manual:User rights management.

Extension and Skin Security

• **Only Install Trusted Extensions:** Only install extensions from reputable sources, such as the MediaWiki Extension Directory ([3](https://www.mediawiki.org/wiki/Extension_directory)). Before installing an extension, review its code and documentation to understand its functionality and potential security implications.
• **Keep Extensions Updated:** Regularly update all extensions to the latest versions. Updates often include security fixes. Extension:ExtensionManager can help manage extensions.
• **Review Extension Code:** Whenever possible, review the code of any extension you are installing, especially if it's from a less well-known source. Look for potential vulnerabilities, such as SQL injection flaws or XSS vulnerabilities.
• **Minimize Extensions:** Only install the extensions you absolutely need. Each extension adds to the attack surface of your wiki.
• **Skin Security:** Choose a well-maintained skin from a trusted source. Keep the skin updated to the latest version. Be cautious about using custom skins from unknown sources.
• **Extension Permissions:** Pay attention to the permissions requested by extensions. Some extensions may require excessive permissions that could compromise your wiki's security.

Content Security and Input Validation

• **Input Validation:** Always validate user input to prevent XSS and SQL injection attacks. Sanitize input before storing it in the database or displaying it on the page. MediaWiki's built-in sanitization functions can help with this.
• **Output Encoding:** Encode output before displaying it on the page to prevent XSS attacks. MediaWiki automatically encodes output in most cases, but it's important to be aware of this issue.
• **WikiText Restrictions:** Be aware of the potential security implications of WikiText. Limit the use of potentially dangerous WikiText features, such as raw HTML.
• **File Upload Restrictions:** If file uploads are enabled, restrict the types of files that can be uploaded. Only allow trusted file types, such as images and documents. Scan uploaded files for malware.
• **External Links:** Be cautious about linking to external websites. Malicious websites can use external links to redirect users to phishing sites or download malware.

Ongoing Maintenance and Monitoring

• **Regular Updates:** Keep MediaWiki itself updated to the latest version. Updates often include security fixes and performance improvements.
• **Log Monitoring:** Regularly monitor the MediaWiki logs for suspicious activity. Look for failed login attempts, unauthorized access attempts, and other anomalies. Consider using a log analysis tool.
• **Security Audits:** Periodically conduct security audits of your wiki. This can involve reviewing configurations, scanning for vulnerabilities, and testing security controls.
• **Backups:** Regularly back up your wiki's database and files. This allows you to restore your wiki in case of a security breach or data loss. Automate the backup process.
• **Vulnerability Scanning:** Utilize vulnerability scanning tools like OWASP ZAP ([4](https://www.zaproxy.org/)) or Nikto ([5](https://cirt.net/Nikto2)) to proactively identify potential security weaknesses.
• **Incident Response Plan:** Develop an incident response plan to guide your actions in the event of a security breach. The plan should outline steps for containing the breach, investigating the cause, and restoring your wiki.
• **Stay Informed:** Stay up-to-date on the latest security threats and vulnerabilities. Subscribe to security mailing lists and follow security blogs. See resources like SANS Institute ([6](https://www.sans.org/)), NIST ([7](https://www.nist.gov/)), and OWASP ([8](https://owasp.org/)).

Advanced Security Considerations

• **Content Security Policy (CSP):** Implement a Content Security Policy to control the resources that the browser is allowed to load. This can help prevent XSS attacks.
• **Subresource Integrity (SRI):** Use Subresource Integrity to ensure that external resources, such as JavaScript libraries, have not been tampered with.
• **Rate Limiting:** Implement rate limiting to prevent brute-force attacks and DoS attacks.
• **Web Application Firewall (WAF):** Consider using a Web Application Firewall to protect your wiki from common web attacks. Cloudflare ([9](https://www.cloudflare.com/)) and Sucuri ([10](https://sucuri.net/)) are popular WAF providers.
• **Intrusion Detection System (IDS) / Intrusion Prevention System (IPS):** Deploy an IDS/IPS to detect and prevent malicious activity on your server.
• **Regular Penetration Testing:** Engage a security professional to conduct penetration testing of your wiki. This can help identify vulnerabilities that you may have missed.

Resources and Further Reading

• **MediaWiki Security Documentation:** [11](https://www.mediawiki.org/wiki/Security)
• **OWASP Top Ten:** [12](https://owasp.org/www-project-top-ten/)
• **SANS Institute:** [13](https://www.sans.org/)
• **NIST Cybersecurity Framework:** [14](https://www.nist.gov/cyberframework)
• **CIS Benchmarks:** [15](https://www.cisecurity.org/benchmarks/)
• **Qualys SSL Labs:** [16](https://www.ssllabs.com/ssltest/) (for testing SSL/TLS configuration)
• **SecurityFocus:** [17](https://www.securityfocus.com/)
• **Threatpost:** [18](https://threatpost.com/)
• **Dark Reading:** [19](https://www.darkreading.com/)
• **Krebs on Security:** [20](https://krebsonsecurity.com/)
• **Have I Been Pwned?:** [21](https://haveibeenpwned.com/) (check if your email has been compromised in a data breach)
• **MITRE ATT&CK Framework:** [22](https://attack.mitre.org/) (knowledge base of adversary tactics and techniques)
• **Nmap:** [23](https://nmap.org/) (network scanning tool)
• **Wireshark:** [24](https://www.wireshark.org/) (network protocol analyzer)
• **Burp Suite:** [25](https://portswigger.net/burp) (web application security testing tool)
• **Metasploit Framework:** [26](https://www.metasploit.com/) (penetration testing framework)
• **Shodan:** [27](https://www.shodan.io/) (search engine for internet-connected devices)
• **Censys:** [28](https://censys.io/) (internet security intelligence platform)
• **VirusTotal:** [29](https://www.virustotal.com/) (malware analysis service)
• **GreyNoise:** [30](https://greynoise.io/) (internet background noise analysis)
• **Recorded Future:** [31](https://www.recordedfuture.com/) (threat intelligence platform)
• **MISP:** [32](https://www.misp-project.org/) (malware information sharing platform)
• **The Hacker News:** [33](https://thehackernews.com/)
• **BleepingComputer:** [34](https://www.bleepingcomputer.com/)

By following these best practices, you can significantly improve the security of your MediaWiki installation and protect your data from unauthorized access and malicious attacks. Remember that security is an ongoing process, not a one-time fix. Continuously monitor your wiki for vulnerabilities and update your security measures as needed. See Manual:FAQ for frequently asked questions.

Manual:Configuration settings Manual:User rights management Extension:PasswordStrength Extension:TwoFactorAuth Extension:ExtensionManager Manual:FAQ Manual:Adding images Manual:Categories Manual:Templates Help:Contents

Start Trading Now

Sign up at IQ Option (Minimum deposit $10) Open an account at Pocket Option (Minimum deposit $5)

Join Our Community

Subscribe to our Telegram channel @strategybin to receive: ✓ Daily trading signals ✓ Exclusive strategy analysis ✓ Market trend alerts ✓ Educational materials for beginners