Preventing spam on MediaWiki

From ULYSSIS documentation

Because MediaWiki allows for unrestricted page editing by anonymous users and unrestricted account creation, MediaWiki websites often suffer from automated spam problems. There are 2 main ways to prevent spam on MediaWiki: using a captcha to block automated edits, or restricting account creation to trusted users.

Using captcha

About ReCaptcha

Google introduced a new generation of ReCaptcha, called NoCaptcha in 2014. Using the MediaWiki extension ConfirmEdit, NoCaptcha can be used to prevent spam on wikis. ConfirmEdit is bundled with MediaWiki by default, but to enable NoCaptcha, you will have to get an API key from Google.


The NoCaptcha ConfirmEdit extension requires MediaWiki 1.26 or higher.

First, you have to get an API key from Google. Go to Google's ReCaptcha administrator page and register your website. You will need to select reCAPTCHA v2, and "I'm not a robot" Checkbox. After registering your website, you will be presented with a public site key and a private secret key.

Now you have to install and configure the ConfirmEdit extension. Locate the LocalSettings.php file in your MediaWiki installation folder and add the following lines to it:

wfLoadExtensions([ 'ConfirmEdit', 'ConfirmEdit/ReCaptchaNoCaptcha' ]);
$wgCaptchaClass = 'ReCaptchaNoCaptcha';
$wgReCaptchaSiteKey = 'your public/site key here';
$wgReCaptchaSecretKey = 'your private/secret key here';
$wgCaptchaTriggers['edit'] = true; // Trigger captcha for page edits.
$wgCaptchaTriggers['create'] = true; // Trigger captcha for page creation.
$wgCaptchaTriggers['addurl'] = true; // Trigger captcha for page edits containing URLs.
$wgCaptchaTriggers['createaccount'] = true; // Trigger captcha for account creation.
$wgCaptchaTriggers['badlogin'] = true; // Trigger captcha for login hacking attempts.

More information about the configuration options for advanced usage can be found here:

Restricting account creation

Because MediaWiki allows unregistered (anonymous) users to edit pages, this technique obviously relies on restricting page edits to logged-in users. To enable this, locate the LocalSettings.php file in your MediaWiki installation folder and add the following lines to it:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['writeapi'] = false;

Now only registered users can edit or create pages. However, the problem is not solved, as bots can automatically create an account to perform the spamming. There are 3 options to prevent this.

Centrale KU Leuven Login

Wikis connected to the KU Leuven Association can install an extension to use the Centrale KU Leuven Login. For more information about this option, there is the documentation page Securing MediaWiki using Centrale KU Leuven Login.

Sysop account creation

Account creation can be restricted to only website administrators ('sysop'). Add the following line to LocalSettings.php:

$wgGroupPermissions['*']['createaccount'] = false;

Account creation queue

Using the extension ConfirmAccount, account creation has to be manually confirmed by website administrators. Users are still able to create an account, but the account has to be confirmed before the user can log in. For more information, installation instructions and configuration, refer to the link above.