DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system.
DokuWiki is developed with security in mind. We try to find a balance between user-friendliness and security but favor security when no satisfying compromise can be found.
This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure.
When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are:
The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide.
Previous security issues can be seen in the bugtracking system.
Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the update check mechanism.
You should always run the most current release of DokuWiki as there are no security fixes released for older versions.
DokuWiki stores configuration and page data in files. These files should never be accessible directly from the web. The distribution tarball contains a set of .htaccess
files which usually tell the Apache web server to deny access to certain directories.
If you don't use the Apache web server or your Apache does not use .htaccess
files you need to manually secure your installation
The following directories should not be accessible from the web:
data
conf
bin
inc
(isn't dangerous when accessible, though)vendor
(leaks info about your environment)
To check if you need to adjust the access permissions try to access http://yourserver.com/data/pages/wiki/dokuwiki.txt
. You should not get access to that file this way. The Admin Interface will also check this for you and display a warning, if something is wrong.
Please note that this has nothing to do with file permissions. Web access is a configuration specific to your webserver.
If your directories are not properly secured, read the following subsections on how to do that.
The simplest way is to enable .htaccess
support in your Apache configuration. Please see the Apache .htaccess Tutorial.
DokuWiki already comes with correctly configured .htaccess
files. The contents of a .htaccess
file to block all access to the directory it is in should be as follows (valid for both Apache 2.2 and 2.4):
<IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule>
Please note that many distributions have .htaccess support disabled by default. To enable it you need to set the AllowOverride directive from None
to All
for the directory your wiki is installed in.
Check this detailled tutorial for Ubuntu. Configuration for Apache on other distributions is very similar.
Alternatively you can use the LocationMatch directive to prevent access to the mentioned directories without enabling .htaccess support. This has better performance, but you may need to update the directive in the future when new directories are added in DokuWiki. An example may look like this:
<LocationMatch "/(data|conf|bin|inc|vendor)/"> Order allow,deny Deny from all Satisfy All </LocationMatch>
Access to the mentioned directories can be disabled in IIS' configuration settings.
(Windows 8(.1) and Servers 2012 and 2012R2):
Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to “IIS Request Filtering” section. However, can be enabled by installing “IIS Administration pack 1.0” by using the Web Platform Installer.
Also note: Ensure you enter “/data/” and NOT just “/data”, otherwise pages that start with “data” will be inaccessible.
If you can't access IIS configuration options (as in shared hosting sites), you can use one of the following methods
Alternative 1:
You can place the following file in your dokuwiki root:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <filteringRules> </filteringRules> <denyUrlSequences> <add sequence="/data/" /> <add sequence="/conf/" /> <add sequence="/bin/" /> <add sequence="/inc/" /> <add sequence="/vendor/" /> </denyUrlSequences> </requestFiltering> </security> </system.webServer> </configuration>
Alternative 2:
You can put the following web.config file in the directories you have to protect.
data
conf
bin
inc
(isn't dangerous when accessible, though)vendor
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="None" /> </system.webServer> </configuration>
Using a |URL re-write you can deny access to the above directories. In your /etc/lighttpd/lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It supposes your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/.
url.rewrite-once = ( "^/dokuwiki/(data|conf|bin|inc|vendor)/+." => "/nonexistentfolder" )
Don't forget to uncomment or add “mod_rewrite” in the server.modules section of /etc/lighttpd/lighttpd.conf. It should look like this:
server.modules += ( "mod_compress", "mod_dirlisting", "mod_staticfile", "mod_rewrite", )
Unfortunately it does not keep people out who are using Vivaldi and probably other Chromium based browsers. When combined with “mod_access” it does keep people out. More mod_access examples are available here.
In /etc/lighttpd/lighttpd.conf “mod_access” should be in the “server.modules = (” section. Also add
$HTTP["url"] =~ "^/dokuwiki/(data|conf|bin|inc|vendor)/+." { url.access-deny = ("") }
to /etc/lighttpd/lighttpd.conf.
Restart lighttpd with systemctl reload-or-restart lighttpd and check the status with systemctl status lighttpd
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. In your host configuration file (for example, /etc/nginx/sites-available/default) or nginx.conf file add the following location to prevent access to secure directories.
Make sure that the rule is processed before other rules that control access to certain files.1)
location ~ /(data|conf|bin|inc|vendor)/ { deny all; }
Note: if you are using xsendfile, the above rules will break sendfile functionality. Consider the following:
location ~ /(conf|bin|inc|vendor)/ { deny all; } location ~ /data/ { internal; }
It is relatively easy to forbid access to those directories using Cherokee. In cherokee-admin, select the virtual server where dokuwiki is installed and select rules management.
then add a new “Regular Expression” rule and put the following in it (supposing that dokuwiki sits on the root directory):
/(data|conf|bin|inc|vendor)/
Remember to set it as “NON FINAL”, because if not, some code under those directories may still being executed under certain circumstances (“Extensions php” rule as “NON FINAL” present, for example).
Then go in “Handler” section and select HTTP Error. Finally select “403 Forbidden” in HTTP Error.
Here is an example Caddyfile for a wiki served with Caddy:
wiki.example.com { log /var/log/caddy/dokuwiki.log root /var/www/dokuwiki/ # Assuming install/config of php-fpm # to listen on localhost:9000 fastcgi / 127.0.0.1:9000 php # This block below sends an HTTP 401 message when # a client attempts to access the secured directories. status 401 { /data /conf /bin /inc /vendor } }
The most secure way to avoid any access to the mentioned directories is to move them outside the so called “Document Root” of your Webserver. This is usually not needed if you followed the guides above and requires a bit more understanding on how webserver and DokuWiki works. None-the-less it is the safest way to secure your DokuWiki install regardless of the used webserver.
WARNING: If you are planning to use the installer, you need to install your wiki executing the install.php script first before you can do this step. If the Move Directories operation is done before, the installer execution will fail.
data
directory (and all its contents) out of the document rootdata
directory.
For example, if the data
directory is moved to /home/yourname/data
, add the following line to conf/local.php
:
$conf['savedir'] = '/home/yourname/data';
conf
directory (and all its contents) out of the document rootpreload.php
inside the inc
directory and set the DOKU_CONF
define to the new location of the conf
directory.
For example, if the conf
directory is moved to /home/yourname/conf
, create the following inc/preload.php
:
<?php // DO NOT use a closing php tag. This causes a problem with the feeds, // among other things. For more information on this issue, please see:w // http://www.dokuwiki.org/devel:coding_style#php_closing_tags define('DOKU_CONF','/home/yourname/conf/');
The bin directory contains CLI tools. If you don't have shell access on your server anyway you can simply delete the directory and its contents. Otherwise just move it out of the document root. No further configuration needed.
There is currently no easy way to move this directory out of the document root. But since it doesn't contain any sensitive data it isn't worth the effort to try anyway.
DokuWiki contains several configuration settings that have an impact on various security aspects of the installation. Please refer to the documentation of each setting to learn what they do and what suggested settings are.
DokuWiki has lots of community contributed plugins. Plugins add new functionality to DokuWiki by adding new code. This means the code has practically any access to your server. Additionally plugins are distributed separately from DokuWiki in an entirely ad-hoc manner. They are not subject to the same degree of attention and review that the core DokuWiki code base gets. So security precautions are necessary before installing a plugin.
Here are some tips to help you with choosing the plugins you install.
lib
directory, which is directly accessible from the outside. Review what a plugin contains and if access is appropriate, plugins shouldn't store sensitive info in their own directory.See also: How to report security issues in plugins
With Access Control Lists (ACL) you can restrict which pages and/or namespaces users have access to. You can give read and write permissions depending on the user group or single users.
Here are a few more internal and external pages related to security.