Difference between revisions of "List of security measures taken for this site"
Line 9: | Line 9: | ||
==File Upload Security== | ==File Upload Security== | ||
− | To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content<ref>https://www.mediawiki.org/wiki/Manual:Image_Authorization Image_Authorization</ref>: | + | To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content<ref>[https://www.mediawiki.org/wiki/Manual:Image_Authorization Image_Authorization]</ref>: |
<pre># No php execution in the upload area | <pre># No php execution in the upload area | ||
php_admin_flag engine off</pre> | php_admin_flag engine off</pre> |
Revision as of 03:29, 23 September 2015
Restrict Permissions
Eagle-rock.org was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by spam bots[1]. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to restrict permissions[2] by entering the following codes into LocalSettings.php.
$wgGroupPermissions['*']['createaccount'] = false;
This setting blocks nonusers from creating accounts.[3] All accounts therefore must be created by an Administrator.
$wgGroupPermissions['*']['edit'] = false;
This setting blocks nonusers from editing pages. In order to edit a page, a user must get an account created by an Administrator.
File Upload Security
To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content[4]:
# No php execution in the upload area php_admin_flag engine off