How can I use ".htaccess" to make PmWiki more secure?
The Apache server (and other compatible web servers) can make use of per-directory ".htaccess" files to control access.
For PmWiki, there is a small but finite danger that scripts (configuration files) in the "local/" or "cookbook/" directories could be used to compromise your server. Most configuration files simply set values for variables and may include a few other scripts. But if a configuration file manipulates files or makes calls to the operating system (or includes another script that does).
Any risk from the configuration files can be virtually eliminated by making sure the beginning of the file reads...
<?php if (!defined('PmWiki')) exit();
As an extra precaution, you may wish to include an ".htaccess" file in "local/" and "cookbook/". The file should read:
--- more text here ---
In the Apache 2 ".htaccess" tutorial (http://httpd.apache.org/docs-2.0/howto/htaccess.html) they suggest that to improve performance, all the configuration done using per-directory .htaccess files should be moved into the main httpd.conf file. However, if you do not have access to httpd.conf, the only choice you have is to use .htaccess. There is also some debate as to how much of a performance hit .htaccess processing creates.
.htaccess is dependant on correct setting of AllowOverride
Be very cautious with the use of .htaccess to implement your wiki security!
If you use .htaccess rules to protect against unaithorized access of sensitive files in you wiki, make very sure the configuration of your Apache web server has allowed the use of .htaccess . In particular, make sure the web server configuration has the
When this directive is set to None, then .htaccess files are completely ignored. Probably some directories that shouldn't be accessible are publicly accessible by anonymous (not-logged-in) users!
There are some Linux distro's , for example Ubuntu, where the out-of-the-box configuration of Apache2 has set
<directory /home/paul/wiki/> AllowOverride Alle .. </directory>
or at least like this:
<directory /home/paul/wiki/> AllowOverride FileInfo Limit .. </directory>