[aklug] securing mediawiki

From: John Heim <john@johnheim.com>
Date: Fri Feb 28 2014 - 09:44:01 AKST

I'm helping out with the wiki for the International Association of
Visually Impaired Technologists, http://wiki.iavit.org. -- We have a
problem in that it keeps getting hacked. We're running
ubuntu server 12.0.4 and mediawiki 1.15.

I originally chose mediawiki because I figured more people would be
familiar with the markup language. At first I configured it so you just
had to create an account to edit. But then someone started using
the wiki as a dating site or something. So then I save all the real
pages as text files, deleted the whole thing, re-installed, and set it
up so you had to create an account and confirm your email address before
you could edit. But then it got hacked again. Well, I figured I must
have done something wrong so I repeated the whole process (at least I
didn't have to create a new backup) and before I had even confirmed my
own email some hacker had already registered and confirmed his email. He
was quicker then me. Of course, I took the time to make sure I couldn't
edit w/o confirming my email. That was not the problem. Within a few
minutes, there were several accounts each with a confirmed email
address. They must have a bot that creates an account with a legitimate
email address and confirms the request.

I am looking for suggestions on how to make it fairly easy for us to
keep out hackers. I am thinking it might work if we can set it up so the
person has to confirm their email and then we have to approve the
account before it is created. But I cannot find any documentation on
setting that up. Plus maybe there is a better way.

---
John Heim
email: john@johnheim.com  skype: john.g.heim
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Feb 28 09:44:27 2014

This archive was generated by hypermail 2.1.8 : Fri Feb 28 2014 - 09:44:27 AKST