lens0021
commented
5 years ago Directories that MediaWiki needs write access to (such as $wgCacheDirectory if that feature is enabled) should be located outside of the web root. The exception being the images directory, which must be in the web root. However, it is important to disable php in the images directory. The details on how to do this varies with webserver, but on apache it can sometimes be accomplished by using
php_flag engine offin a .htaccess file. If you do accomplish this via a config file in the images directory itself, you should ensure the config file is not writable by the webserver. See the section below on upload security for more details.Your LocalSettings.php file must be readable by the php user, however it should not be world readable, to prevent other processes from discovering your database password and other sensitive information. Like all MediaWiki files, the php user should not be able to write to LocalSettings.php.
from https://www.mediawiki.org/wiki/Manual:Security#File_permissions
On a multiuser system with PHP installed as an Apache module, all users' scripts will run under the same reduced-privilege user account. This may give other users access to read your configuration files (including database passwords), read and modify your login session data, or write files into your upload directory (if enabled).
For multiuser security, consider using a CGI/FastCGI configuration in which each user's scripts run under their own account.
from https://www.mediawiki.org/wiki/Manual:Security#General_PHP_recommendations
지금 페미위키 웹서버 설정으로는 'LocalSettings.php', 'thumb.php'와 같은 파일들이 전부 실행되어버리는데, 다른 위키피디아에선 막혀있다. 어떻게 하는게 안전한지 조사하기
TODOs
maintenance접근 막기Reference