Manual:Security

1. Manual:Security

Security is paramount when running a MediaWiki installation, especially one accessible from the public internet. This article details essential security considerations for MediaWiki administrators, covering everything from basic server hardening to specific MediaWiki configurations and ongoing maintenance. This guide is aimed at beginners, but also offers insights for more experienced users. Ignoring these practices can lead to data breaches, website defacement, and denial of service attacks.

Understanding the Threat Landscape

Before diving into specific configurations, it’s crucial to understand the types of threats your MediaWiki installation faces. These broadly fall into several categories:

• Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed by other users. This can steal cookies, redirect users to phishing sites, or deface the wiki. Proper input sanitization and output encoding are critical defenses. See Manual:Handling email addresses for related sanitization techniques applicable in other contexts.
• SQL Injection (SQLi): Attackers inject malicious SQL code into database queries, potentially allowing them to read, modify, or delete data. Using prepared statements and parameterized queries is the primary prevention method.
• Cross-Site Request Forgery (CSRF): Attackers trick users into performing actions they didn't intend to, such as changing their password or publishing malicious content. CSRF tokens are the standard defense.
• Brute-Force Attacks: Attackers attempt to guess usernames and passwords through repeated login attempts. Strong passwords, account lockout policies, and CAPTCHAs can mitigate this.
• File Upload Vulnerabilities: Allowing unrestricted file uploads can allow attackers to upload malicious scripts or executables. Strict file type validation and storage outside the web root are essential.
• Denial of Service (DoS) / Distributed Denial of Service (DDoS): Attackers overwhelm the server with traffic, making it unavailable to legitimate users. This requires network-level mitigation techniques, often provided by hosting providers. Understanding Manual:Configuration settings can help optimize performance and potentially withstand smaller attacks.
• Wiki Spam & Vandalism: Automated bots and malicious users can create spam pages, deface existing pages, or insert harmful links. Spam filters, CAPTCHAs, and vigilant administrators are needed.
• Exploitation of MediaWiki and Extension Vulnerabilities: Bugs in MediaWiki core or installed extensions can be exploited by attackers. Regular updates are vital.

Server Hardening

The security of your MediaWiki installation starts with the underlying server. These steps apply regardless of your operating system (Linux, Windows, etc.).

• Keep your Operating System Updated: Regularly apply security patches and updates to your OS. This is the most fundamental security measure.
• Firewall Configuration: Configure a firewall to only allow necessary traffic to your server (e.g., HTTP/HTTPS ports 80/443, SSH port 22 if needed).
• Secure Shell (SSH) Hardening: If using SSH, disable password authentication and use SSH keys instead. Change the default SSH port. Restrict SSH access to specific IP addresses if possible.
• Web Server Configuration (Apache/Nginx):

   * Disable Directory Listing: Prevent attackers from browsing your server's directory structure.
   * Limit File Permissions: Ensure that files and directories have the least necessary permissions.  Web server user should *not* have write access to the MediaWiki directory unless absolutely necessary.
   * Configure HTTPS:  Use HTTPS (SSL/TLS) to encrypt communication between the server and users.  Let's Encrypt provides free SSL certificates.  See Manual:HTTPS for detailed instructions.
   * Hide Server Signature:  Remove the server signature from HTTP responses to prevent attackers from identifying your web server software.

• Database Security:

   * Strong Database Password:  Use a strong, unique password for your database user.
   * Restrict Database User Permissions:  Grant the database user only the necessary permissions (e.g., SELECT, INSERT, UPDATE, DELETE) for the MediaWiki database.
   * Firewall Database Access:  Restrict access to the database server to only the web server.

• PHP Security:

   * Keep PHP Updated:  Regularly update PHP to the latest version with security patches.
   * Disable Unnecessary PHP Functions:  Disable potentially dangerous PHP functions (e.g., `exec`, `shell_exec`, `system`) in your `php.ini` file.
   * Configure `open_basedir` Directive:  Restrict PHP's access to only the MediaWiki directory and its subdirectories. This limits the impact of potential code injection attacks.

MediaWiki Configuration

Once the server is hardened, focus on securing the MediaWiki installation itself.

• `LocalSettings.php` Security:

   * `$wgSecretKey` :  This is *critical*.  Generate a strong, random secret key and keep it confidential.  Used for CSRF protection.
   * `$wgSessionName` :  Change the default session name to make it harder for attackers to hijack sessions.
   * `$wgCookiePrefix` :  Change the default cookie prefix for similar reasons.
   * `$wgUploadDirectory` :  Ensure the upload directory is *outside* the web root. This prevents attackers from directly executing uploaded files.  Configure appropriate file permissions.
   * `$wgScriptPath` : Set this correctly to the path where MediaWiki is installed.
   * `$wgEnableEmail` : If email functionality is not required, disable it. If enabled, configure it securely.
   * `$wgSMTP` and related settings: If using SMTP, ensure it's configured correctly and securely.
   * `$wgRateLimits` : Implement rate limiting to prevent brute-force attacks and spam.  See Manual:Rate limiting for details.
   * `$wgAntiSpamDB` : Enable and configure an anti-spam database.

• User Account Security:

   * Strong Password Policy: Enforce a strong password policy (minimum length, complexity). Consider using an extension like Extension:PasswordStrength.
   * Account Creation Restrictions:  Require email verification for new accounts.  Consider enabling CAPTCHAs for account creation.
   * Disable Anonymous Editing:  Require users to log in to edit pages. This significantly reduces vandalism.
   * Regularly Review User Accounts:  Monitor user accounts for suspicious activity.
   * Two-Factor Authentication (2FA): Implement 2FA for administrators and other privileged users.  Extension:TwoFactorAuthentication provides this functionality.

• Extension Security:

   * Only Install Necessary Extensions:  Avoid installing extensions you don't need.  Each extension is a potential security risk.
   * Keep Extensions Updated:  Regularly update extensions to the latest versions with security patches.
   * Review Extension Code:  If possible, review the code of extensions before installing them.  Pay attention to permissions and potential vulnerabilities.
   * Use Reputable Extensions:  Download extensions from the official MediaWiki Extension Repository or other trusted sources.

• CAPTCHAs: Use CAPTCHAs to prevent automated bots from creating accounts, editing pages, or submitting forms. Extension:ReCaptcha is a popular option.
• Blacklisting: Use a blacklist to prevent users from posting specific words or links. Extension:AbuseFilter provides powerful blacklisting and filtering capabilities.
• Permissions and Group Management: Carefully manage user permissions and group memberships. Grant users only the necessary access. See Manual:User rights management.

Ongoing Maintenance

Security is not a one-time task. It requires ongoing maintenance.

• Regular Updates: Keep MediaWiki core and all extensions updated to the latest versions. This is the most important thing you can do to protect your installation.
• Security Audits: Periodically perform security audits to identify vulnerabilities. Consider using automated vulnerability scanners.
• Log Monitoring: Monitor MediaWiki logs for suspicious activity. Pay attention to failed login attempts, unauthorized edits, and error messages.
• Backup and Recovery: Regularly back up your MediaWiki installation (database and files) and test your recovery process. This ensures you can restore your wiki in case of a security breach or other disaster.
• Security Awareness Training: If you have multiple administrators, provide them with security awareness training. They need to understand the threats and how to mitigate them.

Advanced Security Considerations

• Web Application Firewall (WAF): A WAF can protect your MediaWiki installation from common web attacks, such as SQL injection and XSS.
• Intrusion Detection System (IDS) / Intrusion Prevention System (IPS): An IDS/IPS can detect and prevent malicious activity on your server.
• Content Security Policy (CSP): CSP is a browser security mechanism that helps prevent XSS attacks. Configure CSP headers in your web server configuration.
• HTTP Strict Transport Security (HSTS): HSTS forces browsers to use HTTPS, preventing man-in-the-middle attacks.
• Rate Limiting at the Web Server Level: Implement rate limiting in your web server configuration (e.g., using `mod_ratelimit` in Apache or `limit_req_zone` in Nginx).
• Regular Expression Denial of Service (ReDoS) Prevention: Be cautious when using regular expressions, as poorly written expressions can lead to ReDoS attacks. Test expressions thoroughly.

Resources and Further Reading

• **MediaWiki Security Documentation:** [1](https://www.mediawiki.org/wiki/Security)
• **OWASP (Open Web Application Security Project):** [2](https://owasp.org/)
• **SANS Institute:** [3](https://www.sans.org/)
• **NIST Cybersecurity Framework:** [4](https://www.nist.gov/cyberframework)
• **SQL Injection Prevention:** [5](https://owasp.org/www-project-sql-injection-prevention/)
• **XSS Prevention:** [6](https://owasp.org/www-project-xss/)
• **CSRF Prevention:** [7](https://owasp.org/www-project-csrf/)
• **Let's Encrypt:** [8](https://letsencrypt.org/)
• **Security Headers:** [9](https://securityheaders.com/)
• **Content Security Policy:** [10](https://content-security-policy.com/)
• **Common Vulnerabilities and Exposures (CVE):** [11](https://cve.mitre.org/) – Track known vulnerabilities.
• **Exploit Database:** [12](https://www.exploit-db.com/) – Understand how vulnerabilities are exploited.
• **Trend Micro:** [13](https://www.trendmicro.com/) – Security solutions and threat intelligence.
• **Kaspersky:** [14](https://www.kaspersky.com/) – Security solutions and threat intelligence.
• **Sophos:** [15](https://www.sophos.com/) – Security solutions and threat intelligence.
• **Cloudflare:** [16](https://www.cloudflare.com/) – Web performance and security.
• **Sucuri:** [17](https://sucuri.net/) – Website security platform.
• **Qualys:** [18](https://www.qualys.com/) – Vulnerability management and compliance solutions.
• **Nmap:** [19](https://nmap.org/) – Network scanning tool.
• **Wireshark:** [20](https://www.wireshark.org/) – Network protocol analyzer.
• **Burp Suite:** [21](https://portswigger.net/burp) – Web application security testing tool.
• **Metasploit Framework:** [22](https://www.metasploit.com/) – Penetration testing framework.
• **OWASP ZAP:** [23](https://owasp.org/www-project-zap/) – Free web application security scanner.
• **SecurityFocus:** [24](https://www.securityfocus.com/) – Security news and vulnerability information.
• **Dark Reading:** [25](https://www.darkreading.com/) – Cybersecurity news and analysis.
• **Krebs on Security:** [26](https://krebsonsecurity.com/) – Cybersecurity blog by Brian Krebs.
• **The Hacker News:** [27](https://thehackernews.com/) – Cybersecurity news.

Manual:Configuration settings Manual:HTTPS Manual:Rate limiting Extension:PasswordStrength Extension:TwoFactorAuthentication Extension:ReCaptcha Extension:AbuseFilter Manual:User rights management Manual:Handling email addresses Manual:Extensions

Start Trading Now

Sign up at IQ Option (Minimum deposit $10) Open an account at Pocket Option (Minimum deposit $5)

Join Our Community

Subscribe to our Telegram channel @strategybin to receive: ✓ Daily trading signals ✓ Exclusive strategy analysis ✓ Market trend alerts ✓ Educational materials for beginners