Securing your Wiki

To change the access levels of existing groups or add new groups, you need to have shell/ftp access to the machine that MediaWiki is running on. You can add or remove permissions to a group with the following sample statements in LocalSettings.php.

To disable account creation by anonymous visitors (this replaces $wgWhitelistAccount from 1.4)

 $wgGroupPermissions['*']['createaccount'] = false;

To require that users log in to edit (this replaces the $wgWhitelistEdit from 1.4):

 $wgGroupPermissions['*']['edit'] = false;

It’s worth noting that if you set this, you may also want to set

$wgShowIPinHeader = false; # For non-logged in users

This removes the link to the talk page in the header for non-logged in users, and hasn’t changed from 1.4.

If $wgWhitelistRead is set, you must also disable the ‘read’ permission for it to take effect on anonymous users. Any CSS and JS pages used in the Main Page or Login Page should be accessible as well to avoid IE scripting error dialog box.

 $wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
 $wgGroupPermissions['*']['read'] = false;

Main Page is not mandatory for this list. To avoid “login required” redirect page, you can change includes/OutputPage.php loginToUse():

function loginToUse() {
    $titleObj = Title::makeTitle( NS_SPECIAL, "Userlogin" );
    $this->redirect( $titleObj->getFullURL() );

You can define new groups as well, and then assign them to users through Special:Userrights:

 $wgGroupPermissions['ninja']['delete'] = true;
 $wgGroupPermissions['ninja']['block'] = true;
 $wgGroupPermissions['ninja']['bot'] = true;

This is to block all of the pages except the login and stuff to any one that has an anonymous user

 # Disable reading line, for anonymous (not-logged-in => * ) :
 $wgGroupPermissions['*']['read'] = false;
 # ... and enable anonymous to read the followings pages :
 $wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );

Leave a Reply

Your email address will not be published. Required fields are marked *