(:Summary: Resources for securing your PmWiki installation:)
Aspects of PmWiki security are found on the following pages:

Pages distributed in a PmWiki release:
* [[PmWiki/Passwords]] {PmWiki/Passwords$:Summary}
* [[PmWiki/Passwords Admin]] {PmWiki/PasswordsAdmin$:Summary}
* [[PmWiki/Url Approvals]] {PmWiki/UrlApprovals$:Summary}
* [[(PmWiki:)Site Analyzer]] {PmWiki/SiteAnalyzer$:Summary}
* [[PmWiki/Blocklist]] {PmWiki/Blocklist$:Summary}
* [[PmWiki/Notify]] {PmWiki/Notify$:Summary}
* [[PmWiki/Security variables]] {PmWiki/SecurityVariables$:Summary}

[[Cookbook(:/)]] Pages

* [[Cookbook:Cookbook#Security | Cookbook index for Security recipes]]
* [[Cookbook:Secure attachments]] Protecting uploaded attachments
* [[Cookbook:Web server security]] Making the server more secure with .htaccess
* [[Cookbook:Farm security]] Making Farm installations secure
* [[Cookbook:DeObMail]] Hide e-mail address
* [[Cookbook:Protect email]] Obfusticate email addresses
* [[Cookbook:Audit images]] Check to see what images have been uploaded to your wiki.
* [[Cookbook:Private groups]] Create and secure private groups on a public wiki
* [[Cookbook:Only one login]] Only allow 1 login at the same time for a username
* [[Cookbook:Session guard]] Protects against Session Theft


>>faq<< [[#faq]]

Q: How do I report a possible security vulnerability of PmWiki?

A: [[http://www.pmichaud.com|Pm]] wrote about this in [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | a post to pmwiki-users from September 2006]]. In a nutshell he differentiates two cases:
## The possible vulnerability isn't already known publicly: In this case please contact Pm by private mail.
## The possible vulnerability is already known publicly: In this case feel free to discuss the vulnerability in public (e.g. on [[http://www.pmichaud.com/mailman/listinfo/pmwiki-users | pmwiki-users]]).
See [[http://pmichaud.com/pipermail/pmwiki-users/2006-September/031793.html | his post mentioned above]] for details and rationals.

Q: What about the botnet security advisory at %newwin%[[http://isc.sans.org/diary.php?storyid=1672]]?

A: Sites that are running with PHP's ''register_globals'' setting set to "On" and versions of PmWiki prior to 2.1.21 may be vulnerable to a botnet exploit that is taking advantage of a bug in PHP. The vulnerability can be closed by turning ''register_globals'' off, upgrading to PmWiki 2.1.21 or later, or upgrading to PHP versions 4.4.3 or 5.1.4. [[<<]]In addition, there is a test at [[PmWiki:SiteAnalyzer]] that can be used to determine if your site is vulnerable.

[[#wikivandalism]]
!! Wiki Vandalism
:Assumptions: you are using a [[PmWiki/Blocklist]] and [[PmWiki/Url approvals]].
: :You don't want to resort to [[PmWiki/password(s)]] protecting the entire wiki, that's not the point after all.
: :Ideally these protections will be invoked in @@config.php@@


Q: How do I stop pages being [[PmWiki/DeletingPages|deleted]], eg password protect a page from deletion?
A: Use Cookbook:DeleteAction and password protect the page deletion [[(available) action(s)]] by adding [@$DefaultPasswords['delete'] = '*';@] to @@config.php@@ or password protect the action with @@$HandleAuth['delete'] = 'edit';@@
->or @@$HandleAuth['delete'] = 'admin';@@ to require the edit or admin password respectively.

Q: How do I stop pages being replaced with an empty (all spaces) page?
A: Add [@block: /^\s*$/@] to your [[PmWiki/blocklist]].

Q: how do I stop pages being completely replaced by an inane comment such as ''excellent site'', ''great information'', where the content cannot be blocked?
A: Try using the newer [[PmWiki/Blocklist#automaticblocklists | automatic blocklists]] that pull information and IP addresses about known wiki defacers.

A: (OR) Try using [[Cookbook:Captchas]] or [[Cookbook:Captcha]] (note these are different).

A: (OR) Set an edit password, but make it publicly available on the [[{$SiteGroup}.AuthForm]] template.

Q: How do I password protect all common pages in all groups such as recent changes, search, group header, group footer, and so on?
A: Insert the following lines into your local/config.php file. Editing these pages then requires the admin password.
->[@
## Require admin password to edit RecentChanges (etc.) pages.
if ($action=='edit'
&& preg_match('/\\.(Search|Group(Header|Footer)|(All)?RecentChanges)$/', $pagename))
{ $DefaultPasswords['edit'] = crypt('secret&nbsp;phrase'); }
@]

Note that all GroupAttributes pages are protected by the attr password.

'''Alternative:''' you can require 'admin' authentication for these pages:
->[@
## Require admin password to edit RecentChanges (etc.) pages.
if ($action=='edit'
&& preg_match('(Search|Group(Header|Footer)|(All)?RecentChanges)', $pagename))
{ $HandleAuth['edit'] = 'admin'; }
@]

Q: How do I password protect the creation of new groups?
A: See [[Cookbook:Limit Wiki Groups]] {Cookbook.LimitWikiGroups$:Summary}

Q: How do I password protect the creation of new pages?
A: See [[Cookbook:Limit new pages in Wiki Groups]] {Cookbook.LimitNewPagesInWikiGroups$:Summary}

Q: How do I take a whitelist approach where users from known or trusted IP addresses can edit, and others require a password?
A: Put these lines to local/config.php:
[@
## Allow passwordless editing from own turf, pass for others.
if ($action=='edit'
&& !preg_match("/^90\\.68\\./", $_SERVER['REMOTE_ADDR']) )
{ $DefaultPasswords['edit'] = crypt('foobar'); }
@]
Replace 90.68. with the preferred network prefix and foobar with the default password for others.

Q: How do I password protect [[PmWiki/AvailableActions|page actions]]?
A: See [[PmWiki/Passwords]] for setting in config.php
-> @@$HandleAuth['[==]''pageactionname''[==]'] = 'pageactionname'; # along with :@@
-> @@$DefaultPasswords['[==]''pageactionname''[==]'] = crypt('secret&nbsp;phrase');@@
A: or
-> @@$HandleAuth['[==]''pageactionname''[==]'] = 'anotherpageactionname';@@

Q: How to make a rule that allows only authors to edit their own wiki page in [[Profiles]] group?
A: Add this to your ''local/config.php''

->@@$name = PageVar($pagename, '$Name');@@
->@@$group = PageVar($pagename, '$Group');@@
->@@if($group=='Profiles') $DefaultPasswords['edit'] = 'id:'.$name;@@

Q: How do I moderate all postings?
A: Enable [[PmWiki.Drafts]]
* Set $EnableDrafts, this relabels the "Save" button to "Publish" and a "Save draft" button appears.
* Set $EnablePublish, this adds a new "publish" authorization level to distinguish editing from publishing.

Q: How do I make a read only wiki?
A: In config.php [[PmWiki/PasswordsAdmin | set]] an "edit" password.

Q: How do I restrict access to [[PmWiki/Uploads|uploaded attachments]]?
A: See
* [[PmWiki/UploadsAdmin#direct_download|instructions]] for denying public access to the uploads directory
* see [[Cookbook:Secure attachments]] {Cookbook.SecureAttachments$:Summary}

Glad I've finally found sotmiehng I agree with!

47CW7L , [url=http://bjvlbrpxjdmh.com/]bjvlbrpxjdmh[/url], [link=http://aqsdtedibaep.com/]aqsdtedibaep[/link], http://qkvksbcdxsws.com/

And to think I was going to talk to someone in pesorn about this.

tTCfGP <a href="http://qhlohuxpruea.com/">qhlohuxpruea</a>

Haha, shouldn't you be charging for that kind of konwldgee?!

oESD17 , [url=http://dmpmvjjvughx.com/]dmpmvjjvughx[/url], [link=http://pjnypffvwlmu.com/]pjnypffvwlmu[/link], http://kebjltjzdpqz.com/

vEa1Hy <a href="http://nyaezpqtbvrh.com/">nyaezpqtbvrh</a>

Hey, that's the geraetst! So with ll this brain power AWHFY?