[pmwiki-users] WikiFarm Security, Are Suspenders Really Necessary?
sandy at onebit.ca
Fri Nov 10 10:00:04 CST 2006
Small site, hoping to become more small sites. Using CPanel, Apache,
SmartFTP. No shell access. No shopping cart or automated money or credit
card numbers. Frequent backups by copying everything back down to my
While moving the engine out of the web directory, moving /pub and /skins
back into the web directory, repointing the path variables and learning
how to do symlinks and .htaccess, the suspenders tied me into knots.
Never did untangle them. Not looking forward to updates.
Then Pm pointed out suspenders might be overkill!
Assuming I do the following, what risk am I really running?
1. Copy the pmwiki program and all that comes with it to
2. Edit the farm's local/config.php to contain
Do the same with /pmwiki/index.
3. Create sites in /www/sites . Use the "slightly more secure" method
for creating wiki.d directories:
3a. Chmod 2777 . on /www/sites/site1 .
3b. Run PmWiki.
3c. Chmod 755 . to lock /www/sites/site1 up again.
(Side question: what does the . in the chmod command do? SmartFTP won't
4. Lock everything down tight using AuthUser, to make a CMS system.
Next steps are purely cosmetic, but done at the same time:
5. Use CPanel to create subdomains, so www.site1.mydomain.com points to
/www/sites/site1 (and so on).
6. Use $EnablePathInfo and .htaccess mod_rewrite to get CleanURLs that
don't look like they're from a wiki. (Use trial and error or ask for
help with mod_rewrite.)
7. Stick to recipes by known contributors and/or with Pm's blessing.
So, what would the hackers be able to do?
Thanks in advance,
More information about the pmwiki-users