per default there is no admin/login screen… until you run install.php

here is the complete setup documentary… have fun.

  1. ssh into your server
  2. create subdirectory mkdir /web/root/dokuwiki
  3. go to https://download.dokuwiki.org/out/
    • find link to the latest version and download:
  4. wget https://download.dokuwiki.org/out/dokuwiki-0af3c979842ab2dca44678eb67b94400.tgz
  5. tar fxv dokuwiki-*.tgz; # unpack
    1. depending on your rights management:
      1. chown -R webserveruser:webserveruser /web/root/dokuwiki;
      2. chmod -R o+r /web/root/dokuwiki;
      3. chmod -R 0700 *
  6. now dokuwiki would be ready to go: https://yourdomain.com/dokuwiki/ (if you do not need login/admin/access restrictions = public wiki = bad idea will be hijacked by bots pretty soon)
  7. start webbrowser go to https://yourdomain.com/dokuwiki/install.php (preferable via SSL)

  1. specify username for superuser and password.
  2. now you have a login link on the top right corner:
  3. click on that „log in“ link
  4. the world is beautiful, but some people bug other people: thightening security:
    1. rename install.php to whatever.ph_
    2. test if you can access this file: http://yourserver.com/data/pages/wiki/dokuwiki.txt
    3. if yes: -> https://www.dokuwiki.org/security
      • DokuWiki stores configuration and page data in files.
      • These files should never be accessible directly from the web.
      • Rename data Directory: Securing the
        data

        directory is most important. If you cannot move directories out of the webserver (see below) or can’t configure your webserver to deny access (see above), then you should at least make it harder to guess the name of your data directory.

add this ’savedir‘ conf in conf/local.php

echo "$conf['savedir'] = '/web/root/dokuwiki/renamed_data_dir'" >> conf/local.php

let’s continue: plugins and extensions

  1. get the easy update extension I HIGHLY RECOMMEND IT! IT MAKES UPDATES CLICK, CLICK, CLICK, DONE EASY:
  2. disable all unnecessary extensions:
  3. in general: you should always run as little software on your servers as possible – minimizing attack surface.

make the wiki private: login only

chances are pretty good sooner or later a bot discovers your public wiki and will overwrite your content with links to https://asshole.com (just to push the google ranking or whatever)

what you want bots to see is this a login screen…

click on admin or log in in the top right corner… go to user manager.

add a new user:

go back to admin dashboard and click on „Access Control List Manager“.

There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the admin permission of 255 can not be used in the

conf/acl.auth.php

file. It is only used internally by matching against the superuser option.

increasing security with htaccess

if your webserver supports it (nginx, apache, apache2 does, lighttpd does not) i highly recommend playing another layer of security over your private wiki, in the root of your dokuwiki you place .htaccess like this:

# install software
apt install apache2-utils
# create the file with this content
vim /var/www/dokuwiki/.htaccess;
AuthType Basic
AuthUserFile /var/www/passwd
AuthName "title of the user password dialog box"
order deny,allow
allow from all
require valid-user

htpasswd -cs /var/www/passwd user; # generate file, you will be asked twice for password
htpasswd -s /var/www/passwd secondaryuser;
# -s Use SHA encryption for passwords.

highly recommended: upgrade plugin

can be simplified A LOT with the upgrade plugin!

https://www.dokuwiki.org/plugin:upgrade

Reporting Security Issues

If you encounter an issue with a plugin please inform the author of the plugin via email, optionally putting Andi or the mailinglist on CC.

admin