Skip to content

Preventing MediaWiki from revealing your server versions

MediaWiki features a special page, Special:Version, which displays MediaWiki’s license, but also a list of the currently installed extensions (with their version), as well as the versions of MediaWiki, PHP and MySQL. For security reasons, you may want to avoid displaying all these versions. As far as I know, no setting can disable the display of versions. But you can directly edit MediaWiki’s source to do so, which is quite straightforward:

1. Open “includes/specials/SpecialVersion.php” with a text editor

2. Find the lines:
$this->softwareInformation() .

3. Comment out the lines you want to hide (the first one is for MediaWiki, PHP and MySQL; the second one for the extensions), for instance if I want to only hide MediaWiki, PHP and MySQL versions, the new code is:
//$this->softwareInformation() .

4. Upload the new file to your server.

That’s it. Don’t forget to reapply this “patch” every time you upgrade MediaWiki though!

Posted in MediaWiki, web development.

5 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Alex Zorach says

    There’s another way to do this, and it actually disables the display of all versioning information. You can also open /includes/SpecialPageFactory.php and comment out the line:

    ‘Version’ => ‘SpecialVersion’,

    This removes the version page entirely. I recommend this as best practices for security. There is no need to reveal the version information to the general public.

    • Alex Zorach says

      Oh, also, keep in mind MediaWiki also outputs its own version in the HTML header, using the META generator tag. It doesn’t reveal any additional info there though.

      • patheticcockroach says

        Ow… Why, why, why do they do this ? 🙁
        Nice find, I understand that they may want to advertise the fact that the site is running MediaWiki, but the version number seems a bit unnecessary… Just noticed that WordPress does the same, although that’s probably less of an issue since the upgrade is so much easier.

  2. Greg Sabino Mullane says

    New relevant extension:

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA