List of security measures taken for this site

From eagle-rock.org
Revision as of 07:07, 22 September 2015 by Charles (talk | contribs)

Restrict Permissions

Eagle-rock.org was established in December 2011. At that time it was decided to allow visitors to create user accounts in order to read and contribute to the site. Over the years we had forgotten about the setting that allowed this until finally in September 2015 the site was targeted by spam bots[1]. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. We learned this lesson the hard way. The only solution is to restrict permissions[2] using the following codes entered into LocalSettings.php.

'''$wgGroupPermissions'''<ref>[https://www.mediawiki.org/wiki/Manual:$wgGroupPermissions Mediawiki:$wgGroupPermissions]</ref>['*']['createaccount'] = false;<br>

This setting blocks nonusers from creating accounts. All accounts therefore must be created by an Administrator.

'''$wgGroupPermissions'''['*']['edit'] = false;<br>

This setting blocks nonusers from editing pages. In order to edit a page, a user must get an account created by an Administrator.

File Upload Security

To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content:

# No php execution in the upload area
php_admin_flag engine off


External Links