ICT:Account protection

This document outlines the security profile of default system accounts and the hardening configurations applied to this MediaWiki instance (v1.45) to restrict access and visibility.

Upon initialization, MediaWiki creates or reserves specific identities.

• Type: Virtual/System User.
• Password Protection: This account does not have a password and is blocked from web-based login.
• Function: It acts as a placeholder for automated interface updates and system-generated edits.
• Security Status: Safe; cannot be compromised via brute force.

• Type: Human Administrator.
• Security: Protected by a salted hash password.
• Audit Path: Check rights via Special:UserRights or the Sysop List.

The following configurations are implemented in the server's configuration file to secure the environment.

Prevents the "Create Account" option from appearing to anonymous visitors.

$wgGroupPermissions['*']['createaccount'] = false;

Disables anonymous editing to ensure only identified users can modify content.

$wgGroupPermissions['*']['edit'] = false;

To prevent any unauthorized viewing of the wiki content, the following settings hide all pages from logged-out users, except for the login interface.

# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;

# Whitelist essential pages to allow users to log in
$wgWhitelistRead = array(
    "Special:UserLogin", 
    "MediaWiki:Common.css", 
    "MediaWiki:Common.js"
);

1. Audit: Regularly verify the user list via Special:ListUsers.
2. Updates: If a new system user appears after an upgrade or extension install, consult the MediaWiki System User Manual.
3. Configuration: All changes above must be verified in an Incognito/Private browser window to ensure they are active.