Difference between revisions of "List of security measures taken for this site"
Line 1: | Line 1: | ||
==Restrict Permissions== | ==Restrict Permissions== | ||
− | '''Eagle-rock.org''' was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by '''spam bots'''<ref>[[Wikipedia:Spam Bots]]</ref>. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. | + | '''Eagle-rock.org''' was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by '''spam bots'''<ref>[[Wikipedia:Spam Bots]]</ref>. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to '''restrict permissions'''<ref>[https://www.mediawiki.org/wiki/Manual:Preventing_access Mediawiki:Preventing Access]</ref> by entering the following codes into '''LocalSettings.php.''' |
<pre>$wgGroupPermissions['*']['createaccount'] = false;</pre> | <pre>$wgGroupPermissions['*']['createaccount'] = false;</pre> |
Revision as of 23:59, 22 September 2015
Restrict Permissions
Eagle-rock.org was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by spam bots[1]. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to restrict permissions[2] by entering the following codes into LocalSettings.php.
$wgGroupPermissions['*']['createaccount'] = false;
This setting blocks nonusers from creating accounts.[3] All accounts therefore must be created by an Administrator.
$wgGroupPermissions['*']['edit'] = false;
This setting blocks nonusers from editing pages. In order to edit a page, a user must get an account created by an Administrator.
File Upload Security
To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content[4]:
# No php execution in the upload area php_admin_flag engine off