4th Floor, 4 Tabernacle Street London EC2A 4LU

Make Your MediaWiki Private – Secure MediaWiki

I thought I’d share with you all the the process of customizing the default install to create a private wiki. Following are the specifics to my install but this will probably be helpful to many with a different host or newer version.

  • Install MediaWiki.
  • Chmod LocalSettings.php to 600
  • Create a backup copy of LocalSettings.php, rename it something like .BAK instead of .PHP or something. Put it back in your Wiki install directory right away so it’s safe and available if you need it later.

Restrict Wiki Access

Before bothering to put up our own logo or other fun stuff like enabling image linking and using clean urls, we’re going to lock down our install. I didn’t find a lot for this particular intent on the official MediaWiki Docs or the Dreamhost Wiki, but I did find this old Meta Wiki Article

  • Prevent new user registrations. Add the following line to the bottom of LocalSettings.PHP:
    # This snippet prevents new registrations from anonymous users
    # (Sysops can still create user accounts)
    $wgGroupPermissions['*']['createaccount'] = false;
  • Make sure it’s working by trying to create an account. You should receive an error message that says username not found, please create an account. To change the message login as yourself (you should have set up a Sysop login when you configured your wiki) and point your browser to wiki.yourdomain.com/index.php?title=MediaWiki:Nosuchuser&action=edit.
    I changed my message to:

    There is no user by the name “$1”. This wiki is private and therefore closed to new accounts. Please contact Mahalie if you have any questions.

    I intentionally failed to provide contact information. If a user doesn’t even know how to contact me, they really don’t need an account on my private wiki!

  • Prevent anonymous users from reading by adding the following to LocalSettings.php: # Disable reading line, for anonymous (not-logged-in => * ) :
    $wgGroupPermissions['*']['read'] = false;
    # … and enable anonymous to read the followings pages :
    $wgWhitelistRead = array( “Main Page”, “Special:Userlogin”, “-“, “MediaWiki:Monobook.css” );

    # … same in an other language (French, with one UTF-8 special characteres) :
    # $wgWhitelistRead = array( “Page Principale”, “Special:Userlogin”, utf8_encode(‘Aide en fran√ßais’));

  • Verify setting by logging out of your wiki and attempting to browse. You should get a ‘Login Required. You must login to view other pages.’ when clicking on any local link and the page should redirect to the main page after a few seconds.
  • If you want to hide the side navigation if the user isn’t logged in (because, perhaps you have private project names or something) edit includes/Skin.php and change the function buildSidebar(). Add these lines near the very top, after the globals.: global $wgUser; if (! $wgUser->isLoggedIn()) { return array(); } This will hide the navigation on sup-pages (not the default main page)

Restrict Access

On a UNIX based system, you can create a .htaccess and .htpasswd file in the media wiki directory.

he first thing you will need to do is create a file called .htpasswd. I know, you might have problems with the naming convention, but it is the same idea behind naming the htaccess file itself, and you should be able to do that by this point. In the htpasswd file, you place the username and password (which is encrypted) for those whom you want to have access.

For example, a username and password of wsabstract (and I do not recommend having the username being the same as the password), the htpasswd file would look like this:

wsabstract:y4E7Ep8e7EYV

Notice that it is UserName first, followed by the Password. There is a handy-dandy tool available for you to easily encrypt the password into the proper encoding for use in the httpasswd file.

For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory. You’ll be specifying the location to it later on, so be sure you know where you put it. Also, this file, as with htaccess, should be uploaded as ASCII and not BINARY.

Create a new htaccess file and place the following code in it:

AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user wsabstract

The first line is the full server path to your htpasswd file. If you have installed scripts on your server, you should be familiar with this. Please note that this is not a URL, this is a server path. Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which probably isn’t your exact goal.

The second to last line require user is where you enter the username of those who you want to have access to that portion of your site. Note that using this will allow only that specific user to be able to access that directory. This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.

The AuthName is the name of the area you want to access. It could anything, such as “EnterPassword”. You can change the name of this ‘realm’ to whatever you want, within reason.

We are using AuthType Basic because we are using basic HTTP authentication.