5ko at 5ko.fr
Sun Feb 6 12:29:19 CST 2011
On Sunday 06 February 2011 17:31:23, Wade Lee Hudson wrote :
> Someone is spamming my site.
> I changed the edit password, but that did not help.
Some of your groups have the @nopass edit password which just opens them for
editing with no password. You should search your wiki for GroupAttributes:
Then follow the link to every GroupAttributes page, then click on the link
"Page attributes" (between the links "Edit page" and "Page history"), then
remove the @nopass password. Use "clear" to revert to the site password, or
"@lock" to lock the editing.
I just did this (@lock) to the PDA.GroupAttributes page, as the PDA group had
spam in the recent changes. You need the admin password to edit it and to
revert the latest good version from the page history.
See http://www.pmwiki.org/wiki/PmWiki/Passwords for more information.
> I (temporarily) removed all the password code from local/config.php, but
> that did not help.
This is normal: with no password defined, a wiki is mostly open for editing by
anyone. You should have $DefaultPasswords['admin'], $DefaultPasswords['edit'],
$DefaultPasswords['upload'], and $DefaultPasswords['attr']. The 'admin' and
'attr' passwords are usually not needed by ordinary editors and should be
secret. The 'edit' and 'upload' passwords may be needed, and you should tell
them to your users.
See http://www.pmwiki.org/wiki/PmWiki/PasswordsAdmin for more information.
> Please advise.
Your kind of spam is added by spambots, progams that search the internet for
open pages. A password-protected page usually discourages editors, this is why
some wikis are left open. We found that it is very easy to protect a wiki by a
"public" password, mentioned in the wiki documentation, or even on the login
form - real people can use it, but bots are decieved. These spambots are not
programmed to search for a password and they just move to the next site.
There are more sophisticated recipes, but all I use is a message at the bottom
of my page [[Site.AuthForm]], something like:
(:if group Thumblist*,Cookbook,TE:)
'''PmWiki fans''': the edit/upload password is @@quick@@.
if in config.php I have:
$DefaultPasswords['edit'] = crypt("quick");
For more information about security, see
> If I cannot solve the problem quickly, my host wants me to temporarily
> block all ability to edit the site, which would be ok with me.
You can set a wiki to read-only by adding this to config.php:
$EnableReadOnly = 1;
But this would prevent you to clean up the spam. Instead, you could set the
'edit' password to '@lock' (and not crypt('@lock')) and then use your admin
password to revert to previous versions from the page history.
More information about the pmwiki-users