Difference between revisions of "List of security measures taken for this site"

Revision as of 23:59, 22 September 2015

Restrict Permissions

Eagle-rock.org was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by spam bots^[1]. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to restrict permissions^[2] by entering the following codes into LocalSettings.php.

$wgGroupPermissions['*']['createaccount'] = false;

This setting blocks nonusers from creating accounts.^[3] All accounts therefore must be created by an Administrator.

$wgGroupPermissions['*']['edit'] = false;

This setting blocks nonusers from editing pages. In order to edit a page, a user must get an account created by an Administrator.

File Upload Security

To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content^[4]:

# No php execution in the upload area
php_admin_flag engine off

External Links

↑ Wikipedia:Spam Bots
↑ Mediawiki:Preventing Access
↑ Mediawiki:$wgGroupPermissions
↑ https://www.mediawiki.org/wiki/Manual:Image_Authorization Image_Authorization

[1] Wikipedia:Spam Bots

[2] Mediawiki:Preventing Access

[3] Mediawiki:$wgGroupPermissions

[4] ttps://www.mediawiki.org/wiki/Manual:Image_Authorization Image_Authorization

[1]

[2]

[3]

[4]

@@ Line 1: / Line 1: @@
 ==Restrict Permissions==
-'''Eagle-rock.org''' was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by '''spam bots'''<ref>[[Wikipedia:Spam Bots]]</ref>. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. We learned this lesson the hard way. The only solution is to '''restrict permissions'''<ref>[https://www.mediawiki.org/wiki/Manual:Preventing_access Mediawiki:Preventing Access]</ref> by entering the following codes into '''LocalSettings.php.'''
+'''Eagle-rock.org''' was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by '''spam bots'''<ref>[[Wikipedia:Spam Bots]]</ref>. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to '''restrict permissions'''<ref>[https://www.mediawiki.org/wiki/Manual:Preventing_access Mediawiki:Preventing Access]</ref> by entering the following codes into '''LocalSettings.php.'''
 <pre>$wgGroupPermissions['*']['createaccount'] = false;</pre>