per default there is no admin/login screen… until you run install.php
here is the complete setup documentary… have fun.
- sftp-ssh into one’s server/web-hoster
- if one wants to run dokuwiki as subdirectory, create subdirectory mkdir /web/root/dokuwiki
- download latest version to local system: https://download.dokuwiki.org/
- (or browser versions: https://download.dokuwiki.org/out/)
- wget https://download.dokuwiki.org/out/dokuwiki-0af3c979842ab2dca44678eb67b94400.tgz
- tar fxv dokuwiki-*.tgz; # unpack
- sftp upload 4000+X files to server/web-hoster/subdirectory
- depending on your rights management:
- chown -R webserveruser:webserveruser /web/root/dokuwiki;
- chmod -R o+r /web/root/dokuwiki;
- chmod -R 0700 *
- depending on your rights management:
- now dokuwiki would be ready to go: https://yourdomain.com/dokuwiki/ (if you do not need login/admin/access restrictions = public wiki = bad idea will be hijacked by bots pretty soon)
- start webbrowser go to https://yourdomain.com/dokuwiki/install.php (preferable via SSL)
- specify username for superuser and password.
- now you have a login link on the top right corner:
- click on that “log in” link
- the world is beautiful, but some people bug other people: thightening security:
- rename install.php to whatever.ph_
- test if you can access this file: http://yourserver.com/data/pages/wiki/dokuwiki.txt
- if yes: -> https://www.dokuwiki.org/security
- DokuWiki stores configuration and page data in files.
- These files should never be accessible directly from the web.
- Rename data Directory: Securing the
data
directory is most important. If you cannot move directories out of the webserver (see below) or can’t configure your webserver to deny access (see above), then you should at least make it harder to guess the name of your data directory.
add this ‘savedir’ conf in conf/local.php
echo "$conf['savedir'] = '/web/root/dokuwiki/renamed_data_dir'" >> conf/local.php
let’s continue: plugins and extensions
- get the easy update extension I HIGHLY RECOMMEND IT! IT MAKES UPDATES CLICK, CLICK, CLICK, DONE EASY:
- disable all unnecessary extensions:
- in general: you should always run as little software on your servers as possible – minimizing attack surface.
make the wiki private: login only
chances are pretty good sooner or later a bot discovers your public wiki and will overwrite your content with links to https://MassiveAmount.OfSpam.ObscureTopLevelDomain (just to push the google ranking or whatever)
what you want bots to see is this a login screen…
click on admin or log in in the top right corner… go to user manager.
add a new user:
go back to admin dashboard and click on “Access Control List Manager”.
There are 7 permission levels represented by an integer. Higher levels include lower ones. If you can edit you can read, too. However the admin permission of 255 can not be used in the conf/acl.auth.php
file. It is only used internally by matching against the superuser option.
increasing security with htaccess
if your webserver supports it (nginx, apache, apache2 does, lighttpd does not) i highly recommend laying another layer of security over your private wiki, in the root of your dokuwiki you place .htaccess like this:
# install software apt install apache2-utils # create the file with this content vim /var/www/dokuwiki/.htaccess; AuthType Basic AuthUserFile /var/www/passwd AuthName "title of the user password dialog box" order deny,allow allow from all require valid-user htpasswd -cs /var/www/passwd user; # generate file, you will be asked twice for password htpasswd -s /var/www/passwd secondaryuser; # -s Use SHA encryption for passwords.
highly recommended: upgrade plugin
can be simplified A LOT with the upgrade plugin!
https://www.dokuwiki.org/plugin:upgrade
Reporting Security Issues
If you encounter an issue with a plugin please inform the author of the plugin via email, optionally putting Andi or the mailinglist on CC.
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!
