per default there is no admin/login screen… until you run install.php

here is the complete setup documentary… have fun.

  1. ssh into your server
  2. create subdirectory mkdir /web/root/dokuwiki
  3. wget https://download.dokuwiki.org/out/dokuwiki-c5525093cf2c4f47e2e5d2439fe13964.tgz; # download
  4. tar fxv dokuwiki-c5525093cf2c4f47e2e5d2439fe13964.tgz; # unpack
    1. depending on your rights management:
      1. chown -R webserveruser:webserveruser /web/root/dokuwiki;
      2. chmod -R o+r /web/root/dokuwiki;
      3. chmod -R 0700 *
  5. now dokuwiki would be ready to go: https://yourdomain.com/dokuwiki/ (if you do not need login/admin/access restrictions = public wiki = bad idea will be hijacked by bots pretty soon)
  6. start webbrowser go to https://yourdomain.com/dokuwiki/install.php (preferable via SSL)

  1. specify username for superuser and password.
  2. now you have a login link on the top right corner:
  3. click on that „log in“ link
  4. the world is an ugly place: thightening security:
    1. rename install.php to whatever.ph_
    2. test if you can access this file: http://yourserver.com/data/pages/wiki/dokuwiki.txt
    3. if yes: -> https://www.dokuwiki.org/security
      • DokuWiki stores configuration and page data in files.
      • These files should never be accessible directly from the web.
      • Rename data Directory: Securing the
        data

        directory is most important. If you cannot move directories out of the webserver (see below) or can’t configure your webserver to deny access (see above), then you should at least make it harder to guess the name of your data directory.

add this ’savedir‘ conf in conf/local.php

echo "$conf['savedir'] = '/web/root/dokuwiki/renamed_data_dir'" >> conf/local.php

let’s continue: plugins and extensions

  1. disable all unnecessary extensions:
  2. in general: you should always run as little software on your servers as possible – minimizing attack surface.

make the wiki private: login only

chances are pretty good sooner or later a bot discovers your public wiki and will overwrite your content with links to https://asshole.com (just to push the google ranking or whatever)

what you want bots to see is this a login screen…

click on admin or log in in the top right corner… go to user manager.

add a new user:

go back to admin dashboard and clock on „Access Control List Manager“.

There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the admin permission of 255 can not be used in the

conf/acl.auth.php

file. It is only used internally by matching against the superuser option.

Reporting Security Issues

If you encounter an issue with a plugin please inform the author of the plugin via email, optionally putting Andi or the mailinglist on CC.

admin