Difference between revisions of "List of security measures taken for this site"

From eagle-rock.org
Line 9: Line 9:
  
 
==File Upload Security==
 
==File Upload Security==
To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content<ref>https://www.mediawiki.org/wiki/Manual:Image_Authorization Image_Authorization</ref>:
+
To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content<ref>[https://www.mediawiki.org/wiki/Manual:Image_Authorization Image_Authorization]</ref>:
 
<pre># No php execution in the upload area
 
<pre># No php execution in the upload area
 
php_admin_flag engine off</pre>
 
php_admin_flag engine off</pre>

Revision as of 03:29, 23 September 2015

Restrict Permissions

Eagle-rock.org was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by spam bots[1]. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to restrict permissions[2] by entering the following codes into LocalSettings.php.

$wgGroupPermissions['*']['createaccount'] = false;

This setting blocks nonusers from creating accounts.[3] All accounts therefore must be created by an Administrator.

$wgGroupPermissions['*']['edit'] = false;

This setting blocks nonusers from editing pages. In order to edit a page, a user must get an account created by an Administrator.

File Upload Security

To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content[4]:

# No php execution in the upload area
php_admin_flag engine off

External Links