[aklug] Re: securing mediawiki

From: Ginterak <marc@interak.com>
Date: Fri Feb 28 2014 - 11:35:47 AKST

http://m.mediawiki.org/wiki/Manual:MediaWiki_Security_Guide

> On Feb 28, 2014, at 9:44 AM, John Heim <john@johnheim.com> wrote:
>
>
> I'm helping out with the wiki for the International Association of Visually Impaired Technologists, http://wiki.iavit.org. -- We have a problem in that it keeps getting hacked. We're running
> ubuntu server 12.0.4 and mediawiki 1.15.
>
> I originally chose mediawiki because I figured more people would be familiar with the markup language. At first I configured it so you just had to create an account to edit. But then someone started using
> the wiki as a dating site or something. So then I save all the real pages as text files, deleted the whole thing, re-installed, and set it up so you had to create an account and confirm your email address before you could edit. But then it got hacked again. Well, I figured I must have done something wrong so I repeated the whole process (at least I didn't have to create a new backup) and before I had even confirmed my own email some hacker had already registered and confirmed his email. He was quicker then me. Of course, I took the time to make sure I couldn't edit w/o confirming my email. That was not the problem. Within a few minutes, there were several accounts each with a confirmed email address. They must have a bot that creates an account with a legitimate email address and confirms the request.
>
> I am looking for suggestions on how to make it fairly easy for us to keep out hackers. I am thinking it might work if we can set it up so the person has to confirm their email and then we have to approve the account before it is created. But I cannot find any documentation on setting that up. Plus maybe there is a better way.
>
> ---
> John Heim
> email: john@johnheim.com skype: john.g.heim
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Feb 28 11:36:14 2014

This archive was generated by hypermail 2.1.8 : Fri Feb 28 2014 - 11:36:14 AKST