How to stop Spam on a MediaWiki

From Cookipedia
Jump to: navigation, search

Cookipedia has been running for about three and a half years and over that period of time we have had problems with spammers.

Since we have now managed to stop spam completely, I thought it might be useful to let others know how we managed this.

The steps we took may not be suitable for every Wiki but they work well for us. However, you'll probably be able to take some tips and ideas away with you.

Most of these tasks require systems skills and privileged server access. Contact your ISP for assistance if you are not comfortable with any of these tasks.

How we stopped the spam

Enforce registration for editing

This does prevent free and easy editing, however, we were regularly attacked until we enforced registration.

  • Add the following to LocalSettings.php
   #Restrict anonymous editing
   $wgGroupPermissions['*']['edit'] = false;

   #Anonymous users cannot create new pages
   $wgGroupPermissions['*']['createpage'] = false;

Enforce email confirmation before editing is allowed

A user has to reply to a system generated email before they are allowed to edit an article. This means they have provide (and potentially use-up) a valid email address. It also means that they have to waste a little more of their time in the process.

  • Add the following to LocalSettings.php
   # force email when registering
   # email must be confirmed before edits allowed
   $wgEmailConfirmToEdit = true;

Prevent inclusion of external links to new or untrusted users

This made the biggest difference of all. No spammer wants to add anything to your wiki unless they can place a link to their website.

New users will be unable to add an external link to any page or make an edit to a page that has an existing external link until an Admin had added them to the TrustedUsers page. Once in this file they are allowed to add and edit links.

I also made a small change to the Regex so it included a block on more than just http:

Around line 71 of mediawiki-spamcallback.php

   if(preg_match('/http|www\.|\.co\.uk|\.com|\.net/',$diff)){
      $reason = 'direct links are forbidden';
      $block = true;
   }

Install a CAPTCHA system

Not sure if this has made much difference as there have been a few attackers that appear to have found a way around this. However it is trivial to setup and it's one more hoop they have to jump through.

  • Install MediaWiki:Extension: ReCAPTCHA
  • Add the following to LocalSettings.php
# reCaptcha
require_once( "$IP/extensions/recaptcha/ReCaptcha.php" );
// Sign up for these at https://www.google.com/recaptcha/admin/create
$recaptcha_public_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$recaptcha_private_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';

Bulk removal of pages by user or IP

Permanently blocking the spammers

Once The above changes were implemented, apart from the day I ballsed-up the regex, we have not had any spam whatsoever.

When we identify a user that has attempted to spam our Wiki, we block them forever.

We also block any users that fit the profile of a spammer. See the block list for the Walks like a duck entries. They are fairly obvious. We still have a Contact the Editor method, should we inadvertently block a good-guy.

Discover the IP address of the spammers

CheckUser will allow an Admin to discover the IP address of a User.

  • Install MediaWiki:Extension: CheckUser
  • Add the following to localSettings.php
   # enable extension:CheckUser
   include_once("$IP/extensions/CheckUser/CheckUser.php");

This enables an administrator to discover the IP address of the user who attempted to spam your Wiki.

Once you've spotted a bad guy, keep 'em out forever

40px-Dialog-warning.svg.png Blocking a user by IP address means they will never be able to view your site at all from that address. That may be too strict for you. There are many pitfalls in blocking visitors by IP address. If you are not careful you can block many thousands of users, prevent search engines from spidering your site, even restrict access from entire countries. Do not attempt this unless you know what you are doing! You have been warned!

  • Using the deny from pragma, add the IP addresses of spammers to your vhost.conf file
  • Check your Apache error_log on a daily basis to keep an eye on who you have been blocking. Blocked users will have an entry similar to this:
[Sat Feb 18 17:50:17 2012] [error] [client 64.120.31.41] client denied by server configuration: /home/httpd/vhosts/cookipedia.co.uk/httpdocs/wiki/index.php, referer: None

Good luck!

I hope you have found even just some of this this useful. --Chef 05:38, 19 February 2012 (GMT)

See also


Find recipes that contain 'How to stop Spam on a MediaWiki'