per default there is no admin/login screen… until you run install.php

here is the complete setup documentary… have fun.

  1. sftp-ssh into one’s server/web-hoster
  2. if one wants to run dokuwiki as subdirectory, create subdirectory mkdir /web/root/dokuwiki
  3. download latest version to local system:
  4. wget
  5. tar fxv dokuwiki-*.tgz; # unpack
  6. sftp upload 4000+X files to server/web-hoster/subdirectory
    1. depending on your rights management:
      1. chown -R webserveruser:webserveruser /web/root/dokuwiki;
      2. chmod -R o+r /web/root/dokuwiki;
      3. chmod -R 0700 *
  7. now dokuwiki would be ready to go: (if you do not need login/admin/access restrictions = public wiki = bad idea will be hijacked by bots pretty soon)
  8. start webbrowser go to (preferable via SSL)

  1. specify username for superuser and password.
  2. now you have a login link on the top right corner:
  3. click on that “log in” link
  4. the world is beautiful, but some people bug other people: thightening security:
    1. rename install.php to whatever.ph_
    2. test if you can access this file:
    3. if yes: ->
      • DokuWiki stores configuration and page data in files.
      • These files should never be accessible directly from the web.
      • Rename data Directory: Securing the data directory is most important. If you cannot move directories out of the webserver (see below) or can’t configure your webserver to deny access (see above), then you should at least make it harder to guess the name of your data directory.

add this ‘savedir’ conf in conf/local.php

echo "$conf['savedir'] = '/web/root/dokuwiki/renamed_data_dir'" >> conf/local.php

let’s continue: plugins and extensions

  2. disable all unnecessary extensions:
  3. in general: you should always run as little software on your servers as possible – minimizing attack surface.

make the wiki private: login only

chances are pretty good sooner or later a bot discovers your public wiki and will overwrite your content with links to https://MassiveAmount.OfSpam.ObscureTopLevelDomain (just to push the google ranking or whatever)

what you want bots to see is this a login screen…

click on admin or log in in the top right corner… go to user manager.

add a new user:

go back to admin dashboard and click on “Access Control List Manager”.

There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the admin permission of 255 can not be used in the conf/acl.auth.php file. It is only used internally by matching against the superuser option.

increasing security with htaccess

if your webserver supports it (nginx, apache, apache2 does, lighttpd does not) i highly recommend laying another layer of security over your private wiki, in the root of your dokuwiki you place .htaccess like this:

# install software
apt install apache2-utils
# create the file with this content
vim /var/www/dokuwiki/.htaccess;
AuthType Basic
AuthUserFile /var/www/passwd
AuthName "title of the user password dialog box"
order deny,allow
allow from all
require valid-user

htpasswd -cs /var/www/passwd user; # generate file, you will be asked twice for password
htpasswd -s /var/www/passwd secondaryuser;
# -s Use SHA encryption for passwords.

highly recommended: upgrade plugin

can be simplified A LOT with the upgrade plugin!

Reporting Security Issues

If you encounter an issue with a plugin please inform the author of the plugin via email, optionally putting Andi or the mailinglist on CC.

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!