Chef at 04:52, 1 October 2020

2020-10-01T04:52:45Z

New page

{{#seo:
|title=How to stop Spam on a MediaWiki
|titlemode=replace
|keywords=#howtostopspamonamediawiki #stonebakedspampizza #cookipedia #help #trustedusers
|hashtagrev=12032020
|description=Cookipedia has been running for about three and a half years and over that period of time we have had problems with spammers
}}


[[Image:Spam pizza recipe.jpg|thumb|300px|right|[[Stone baked Spam pizza]]]]
[[Cookipedia]] has been running for about three and a half years and over that period of time we have had problems with spammers.

Since we have now managed to stop spam completely, I thought it might be useful to let others know how we managed this.

The steps we took may not be suitable for every Wiki but they work well for us. However, you'll probably be able to take some tips and ideas away with you.

''Most of these tasks require systems skills and privileged server access. Contact your ISP for assistance if you are not comfortable with any of these tasks.''

==How we stopped the spam==
====Enforce registration for editing====
This does prevent free and easy editing, however, we were regularly attacked until we enforced registration.

* Add the following to LocalSettings.php
<pre>
#Restrict anonymous editing
$wgGroupPermissions['*']['edit'] = false;

#Anonymous users cannot create new pages
$wgGroupPermissions['*']['createpage'] = false;
</pre>
====Enforce email confirmation before editing is allowed====
A user has to reply to a system generated email before they are allowed to edit an article. This means they have provide (and potentially use-up) a valid email address. It also means that they have to waste a little more of their time in the process.
* Add the following to LocalSettings.php
<pre>
# force email when registering
# email must be confirmed before edits allowed
$wgEmailConfirmToEdit = true;
</pre>
====Prevent inclusion of external links to new or untrusted users====
This made the biggest difference of all. No spammer wants to add anything to your wiki unless they can place a link to their website.

New users will be unable to add an external link to any page ''or'' make an edit to a page that has an existing external link until an Admin had added them to the [[TrustedUsers]] page. Once in this file they are allowed to add and edit links.

* Install MediaWiki:Extension: [https://www.mediawiki.org/wiki/Extension:NotEvil Extension:NotEvil]

I also made a small change to the [https://php.net/manual/en/function.preg-match.php Regex] so it included a block on more than just https:

Around line 71 of mediawiki-spamcallback.php
<pre>
if(preg_match('/https|www\.|\.co\.uk|\.com|\.net/',$diff)){
$reason = 'direct links are forbidden';
$block = true;
}
</pre>
====Install a [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA system]====
Not sure if this has made much difference as there have been a few attackers that appear to have found a way around this. However it is trivial to setup and it's one more hoop they have to jump through.
* Install MediaWiki:Extension: [https://www.mediawiki.org/wiki/Extension:ReCAPTCHA ReCAPTCHA]
* Add the following to LocalSettings.php
<pre>
# reCaptcha
require_once( "$IP/extensions/recaptcha/ReCaptcha.php" );
// Sign up for these at https://www.google.com/recaptcha/admin/create
$recaptcha_public_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$recaptcha_private_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
</pre>
====Bulk removal of pages by user or IP====
* Install: https://www.mediawiki.org/wiki/Extension:Nuke
===Permanently blocking the spammers===
Once The above changes were implemented, apart from the day I ballsed-up the regex, we have not had any spam whatsoever.

When we identify a user that has attempted to spam our Wiki, we block them forever.
* [[Special:BlockUser]]

We also block any users that fit the profile of a spammer. See the [[Special:BlockList|block list]] for the ''Walks like a duck'' entries. They are fairly obvious. We still have a ''Contact the Editor'' method, should we inadvertently block a good-guy.

====Discover the IP address of the spammers====
[https://www.mediawiki.org/wiki/Extension:CheckUser CheckUser] will allow an Admin to discover the IP address of a User.

* Install MediaWiki:Extension: [https://www.mediawiki.org/wiki/Extension:CheckUser CheckUser]
* Add the following to localSettings.php
<pre>
# enable extension:CheckUser
include_once("$IP/extensions/CheckUser/CheckUser.php");
</pre>

This enables an administrator to discover the [https://en.wikipedia.org/wiki/IP_address IP address] of the user who attempted to spam your Wiki.

====Once you've spotted a bad guy, keep 'em out forever====
[[File:40px-Dialog-warning.svg.png|40px]] Blocking a user by IP address means they will never be able to view your site at all from that address. That may be too strict for you. '''There are many pitfalls in blocking visitors by IP address.''' If you are not careful you can block many thousands of users, prevent search engines from spidering your site, even restrict access from entire countries. ''Do not attempt this unless you know what you are doing!'' You have been warned!

* Using the [https://httpd.apache.org/docs/2.2/howto/access.html deny from pragma], add the IP addresses of spammers to your vhost.conf file
* Check your Apache error_log on a daily basis to keep an eye on who you have been blocking. Blocked users will have an entry similar to this:
<pre>
[Sat Feb 18 17:50:17 2012] [error] [client 64.120.31.41] client denied by server configuration: /home/httpd/vhosts/cookipedia.co.uk/httpdocs/wiki/index.php, referer: None
</pre>
* This is our current IP block list: [[File:vhost.conf.txt]]
====Good luck!====
I hope you have found even just some of this this useful. --[[User:Chef|Chef]] 05:38, 19 February 2012 (GMT)
==See also==
* MediaWiki Extensions: https://www.mediawiki.org/wiki/Category:Extensions
** Not Evil: https://www.mediawiki.org/wiki/Extension:NotEvil
** ReCAPTCHA: https://www.mediawiki.org/wiki/Extension:ReCAPTCHA
** CheckUser: https://www.mediawiki.org/wiki/Extension:CheckUser
** Mass deletion: https://www.mediawiki.org/wiki/Extension:Nuke
* What is CAPTCHA: https://en.wikipedia.org/wiki/CAPTCHA
* PHP regular expressions: https://php.net/manual/en/function.preg-match.php
* IP Addresses: https://en.wikipedia.org/wiki/IP_address
** Apache Access control docs: https://httpd.apache.org/docs/2.2/howto/access.html
** Block Website Harvesters (huge lists): https://www.wizcrafts.net/exploited-servers-blocklist.html
* MediaWiki Anti-spam features: https://www.mediawiki.org/wiki/Anti-spam_features
** Combat Spam: https://www.mediawiki.org/wiki/Manual:Combating_spam
** Combat Vandalism: https://www.mediawiki.org/wiki/Manual:Combating_vandalism

{{CategoryLineIngredients}}
[[Category:Useful information]]
[[Category:Help]]

<code 'hashtagrev:12032020'>[[Special:Search/howtostopspamonamediawiki|#howtostopspamonamediawiki]] [[Special:Search/stonebakedspampizza|#stonebakedspampizza]] [[Special:Search/cookipedia|#cookipedia]] [[Special:Search/help|#help]] [[Special:Search/trustedusers|#trustedusers]]
</code>

How to stop Spam on a MediaWiki - Revision history

Chef at 04:52, 1 October 2020