Jump to content

Topic on Project:Support desk

How can I secure registration against spambots?

22
Monocero (talkcontribs)

Hi,

Over 1,400 spam accounts have been registered on my wiki. How can I secure registration against spambots? Wikipedia has security set CAPTCHA, how can I set it on my wiki?

IcarusATB (talkcontribs)

I tend to use a simple anti-spam Extention, like Extension:ConfirmEdit, which includes QuestyCaptcha, where users have to answer a question of your devising, or MathCaptcha where they answer a simple math problem in order to login or edit a page, including creating an account page.

It's not perfect, so, maybe once every other week or so, I have to delete a spam account, but, still.

YMMV.

Monocero (talkcontribs)

Thank you for the information. I used QuestyCaptcha, if that doesn't work I will use ReCaptcha (NoCaptcha). I would like to set in registration the requirement to provide an email address and also confirmation of the account by clicking in the link. It is possible?

And what is the solution that wikipedia has against spambots?

https://i.imgur.com/Rg8qpWy.png

Bawolff (talkcontribs)

wikipedia uses fancy captcha [part of confirmedit] (along with a lot of human labour and large ip based blocklists)

Honestly for a small site questy captcha or recaptcha tends to be more effective than fancycaptcha

Monocero (talkcontribs)

I understand. All right. I would like to set in registration the requirement to provide an email address and also confirmation of the account by clicking in the link. It is possible? Anyone can help me?

@AhmadF.Cheema

Monocero (talkcontribs)

How can I massively remove multiple spam articles in a random page? Please help me.

AhmadF.Cheema (talkcontribs)
Monocero (talkcontribs)

In the LocalSettings.php file I have the "true" command set on this line:


$wgEmailAuthentication = true;


And despite this, anyone can sign up an account without providing an email address. How is it possible?


I need to add this command yet?


$wgEmailConfirmToEdit = true;


https://www.mediawiki.org/wiki/Manual:$wgEmailConfirmToEdit


Thank you for the link to the Nuke extension.

AhmadF.Cheema (talkcontribs)
Monocero (talkcontribs)

Thanks for the clarification. You are right.


This setting now requires everyone to enter an email address during registration, confirmation of registration by clicking on the link in e-mail makes the account fully active. I have a question:


# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['edit'] = false;


The first command is responsible for enabling / disabling registration, right?

The second command is responsible for what? I have no idea.

AhmadF.Cheema (talkcontribs)

* indicates the anonymous user-group, i.e. users who haven't registered.

The first line means anonymous users can create accounts.

The second line says that anonymous users cannot edit.

See Manual:$wgGroupPermissions for details.

Monocero (talkcontribs)

I understand. I would like to ask about this text:


"Only users with accounts four days old or older can create pages"


# Anonymous users can't create pages

$wgGroupPermissions['*']['createpage'] = false;


# Only users with accounts four days old or older can create pages

# Requires MW 1.6 or higher.

$wgGroupPermissions['*'            ]['createpage'] = false;

$wgGroupPermissions['user'         ]['createpage'] = false;

$wgGroupPermissions['autoconfirmed']['createpage'] = true;


I created a test account and after verifying my email address I can create a page. 4 days have not passed. So what's going on here?


Restrict creating of all pages:


Manual:Preventing access


And I still have a question about this command:


$wgEmailConfirmToEdit = true;


This command require users to confirm email address before they can edit.


Manual:$wgEmailConfirmToEdit


"before they can edit" - so why does this command implement option to require an email address during registration? I do not understand this. ;/

AhmadF.Cheema (talkcontribs)

To properly setup the autoconfirmed user-group, you'll need to first change the default values for $wgAutoConfirmAge and $wgAutoConfirmCount. By default these settings' values are such that all registered accounts pass.

Regarding $wgEmailConfirmToEdit, as the page mentions, the requirement "to supply an email address when registering" was included in MediaWiki v1.12. Probably for legacy purposes, the devs chose to just keep the old name, even though it wouldn't have been entirely accurate anymore.

Monocero (talkcontribs)

I don't know if you understood me correctly, but I meant that "Only users with accounts four days old or older can create pages" does not work as it should. I created a test account and after verifying my email address I can create a page. 4 days have not passed. So how do I understand that?


"Only users with accounts four days old or older can create pages"


https://i.imgur.com/2XOEI2v.png


Do you understand what I mean? Maybe this sentence is misspelled?


"Regarding $wgEmailConfirmToEdit, as the page mentions, the requirement "to supply an email address when registering" was included in MediaWiki v1.12. Probably for legacy purposes, the devs chose to just keep the old name, even though it wouldn't have been entirely accurate anymore".


My wiki has version 1.32.0, so from version 1.12 there is a requirement to provide an email address during registration, right? So why in version 1.32 this requirement is not there? Because I had to enter this requirement by code in the file:


$wgEmailConfirmToEdit = true;

AhmadF.Cheema (talkcontribs)

I understood you correctly, but apparently I was unable to explain myself correctly.

The comment "[o]nly users with accounts four days old or older can create pages" is incorrect under the default setup. The admin has to change the default value of $wgAutoConfirmAge for the "four days" figure to work i.e. $wgAutoConfirmAge = 60*60*24*4; (that calculates to 4 days)

By default $wgAutoConfirmAge is set to 0, therefore, your test account was able to create pages immediately.


Regarding $wgEmailConfirmToEdit, the "requirement" exists after $wgEmailConfirmToEdit has been set to true.

Monocero (talkcontribs)

Now I understand it more. Thanks for the clarification. I think there is chaos in the guide with all these tips.


Why this comment is added to this function, since this function does not introduce what is written. This comment is incorrect here. https://i.imgur.com/2XOEI2v.png


One function is on another page, the other the required function is on another page, this guide is chaotic, this guide should be rebuilt to make it easier to use and in order that common functions should be described on one page.


"MediaWiki 1.12, requires people to supply an email address when registering"


I understand that MediaWiki 1.12 includes a feature that requires an email address during registration. According to this comment: Manual:$wgEmailConfirmToEdit this is true. So why do I need to use this command in the LocalSettings.php file for this feature to be available on my wiki? After all, according to the description, this function is available from version 1.12. My wiki has version 1.32. I'm wrong? Maybe the comment in this guide is incorrect?

AhmadF.Cheema (talkcontribs)

Guides for a lot of things are often written by experienced users. From their point-of-view, a number of concepts are well-known, therefore, they naturally end up being unconcerned about explaining those. This in turn causes much frustration for new users.

The problematic "four days old" comment falls in this category, as aside it being the default at Wikipedia, it was apparently assumed by the author that almost everyone already knew about $wgAutoConfirmAge.

If you spend a month or two on MediaWiki, you're also likely to end up being one of those experienced users who would naturally think that some concepts are so well-understood that they don't need to be elaborated-on again.

As Wikimedia Foundation wikis are run mostly by volunteers, if you find some parts of the MediaWiki guide confusing, it will be great if you can help out and modify those.


Regarding $wgEmailConfirmToEdit, you'll have to see the sentence in context:

Require users to confirm their email address before they can edit, true to enable. Also, as of MediaWiki 1.12, requires people to supply an email address when registering.

Another way to phrase it would've been:

$wgEmailConfirmToEdit require users to confirm their email address before they can edit, true to enable. Also, as of MediaWiki 1.12, $wgEmailConfirmToEdit requires people to supply an email address when registering.

Apparently, the author found the more descriptive phrasing redundant.

Monocero (talkcontribs)

I understand this, but in my opinion this guide is not friendly for new users.

Monocero (talkcontribs)

In the database in the "content" table, 1867 rows are created and all these rows are encrypted. What do I do with it? Should I leave it or delete it? The only question is whether something will break in the database if I delete this rows? I removed over a few hundred spambots and hundreds of spam articles they founded. Is the content of the spammers in these rows here?


Content table:


Link


And what is the l10n_cache table? 21954 rows are created in this table. Should I leave it?

Bawolff (talkcontribs)

You should not manually alter the database by hand. You can very easily cause referential integrity issues. If you need to adjust stuff, try and use the scripts in the maintenance subdirectory

The lines in content table aren't encrypted, they are just SHA1 hashes of content.

l10n_cache table is related to localization caching.

Anyways, don't touch the DB by hand, you will likely break your wiki.

Monocero (talkcontribs)

So all these lines in the content table are normal and must stay there. I just thought these lines contain hidden spam from spambots, but I removed all spam content with mass removal using the Nuke tool, so there's no more spam on my wiki. Thank you for the clarification.