List of security measures taken for this site

From eagle-rock.org

Restrict Permissions

Eagle-rock.org was established in December 2011. After an upgrade in September 2015 I neglected to include security settings that blocked users from creating accounts. In September 2015 the security hole created by this was located and targeted by spam bots[1]. Spam bots have gotten sophisticated enough to create an account and post articles. Once a spam bot gets in, it automatically calls other bots until there is a tidal wave of spam bots hammering the website. I learned this lesson the hard way. The only solution is to restrict permissions[2] by entering the following codes into LocalSettings.php. 

$wgGroupPermissions['*']['createaccount'] = false;

This setting blocks nonusers from creating accounts.[3] All accounts therefore must be created by an Administrator. 

$wgGroupPermissions['*']['edit'] = false;

This setting blocks nonusers from editing pages. In order to edit a page, a user must get an account created by an Administrator.

File Upload Security

To prevent users from uploading files with malicious code to the Upload Directory, place a .htaccess file inside the 'images' directory with this content[4]: 

# No php execution in the upload area
php_admin_flag engine off

External Links

  1. Wikipedia:Spam Bots
  2. Mediawiki:Preventing Access
  3. Mediawiki:$wgGroupPermissions
  4. Image_Authorization
Retrieved from "https://eagle-rock.org/w/index.php?title=List_of_security_measures_taken_for_this_site&oldid=13300"
Powered by MediaWiki
Powered by Semantic MediaWiki