By MW in mediawiki — 15 Sep 2025

How to Secure Your MediaWiki Installation with Let’s Encrypt HTTPS

Why HTTPS Matters for MediaWiki

MediaWiki, the engine behind Wikipedia, stores user credentials, session cookies and often private content. When the site is served over plain HTTP the traffic travels in clear‑text, which makes it trivial for a network attacker to sniff passwords, hijack sessions or inject malicious content. HTTPS encrypts the traffic and cryptographically validates the server’s identity, eliminating the most common man‑in‑the‑middle (MITM) attacks.

Overview of the Hardening Steps

Obtain a free TLS certificate from Let’s Encrypt using certbot.
Configure your web server (Apache or Nginx) to serve the wiki over HTTPS and to redirect all HTTP requests to HTTPS.
Tell MediaWiki to enforce HTTPS, set secure cookies and adjust internal URLs.
Enable additional hardening – HSTS, OCSP stapling and regular certificate renewal.

1. Getting a Let’s Encrypt Certificate

On a Debian/Ubuntu host the easiest way is to install the certbot package that matches your web server:

sudo apt update
sudo apt install certbot python3-certbot-nginx   # for Nginx
# or
sudo apt install certbot python3-certbot-apache  # for Apache

Run the interactive installer, substituting your domain name (e.g. wiki.example.com) and a valid e‑mail address:

sudo certbot --nginx -d wiki.example.com
# or
sudo certbot --apache -d wiki.example.com

The tool will obtain a certificate, install it in the appropriate virtual‑host file and ask whether you want to redirect HTTP traffic to HTTPS – answer Yes. The certificates are stored in /etc/letsencrypt/live/wiki.example.com/ as fullchain.pem and privkey.pem.

2. Web‑Server Configuration

Apache Example

# /etc/apache2/sites-available/wiki.conf (HTTPS virtual host)
<VirtualHost *:443>
    ServerName wiki.example.com
    DocumentRoot /var/www/mediawiki

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/wiki.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/wiki.example.com/privkey.pem

    # Optional – enable OCSP stapling
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off

    # Force the use of TLS v1.2+ only
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
    SSLHonorCipherOrder on

    # Basic security headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-XSS-Protection "1; mode=block"
</VirtualHost>

# Redirect all HTTP traffic to HTTPS
<VirtualHost *:80>
    ServerName wiki.example.com
    Redirect permanent / https://wiki.example.com/
</VirtualHost>

Enable the site and reload Apache:

sudo a2enmod ssl headers
sudo a2ensite wiki.conf
sudo systemctl reload apache2

Nginx Example

# /etc/nginx/sites-available/wiki.conf
server {
    listen 80;
    server_name wiki.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name wiki.example.com;
    root /var/www/mediawiki;
    index index.php;

    ssl_certificate /etc/letsencrypt/live/wiki.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wiki.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5:!3DES;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-XSS-Protection "1; mode=block" always;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;   # adjust PHP version
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Enable the configuration and reload Nginx:

sudo ln -s /etc/nginx/sites-available/wiki.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

3. MediaWiki Configuration

All MediaWiki‑specific HTTPS settings live in LocalSettings.php. Add the following lines (or adjust existing ones):

# Force every request to use HTTPS
$wgForceHTTPS = true;

# Tell MediaWiki the canonical URL – use the https scheme
$wgServer = "https://wiki.example.com";

# When MediaWiki generates absolute URLs (e.g. for RSS feeds) use https
$wgCanonicalServer = "https://wiki.example.com";

# Secure cookies – they will only be sent over HTTPS
$wgCookieSecure = true;

# If you are behind a reverse proxy (e.g. Cloudflare) set the header it sends
$wgUseCdn = true; // optional, only needed for CDN‑based caching
$wgCdnServers = [ "127.0.0.1" ]; // replace with your proxy IP
$wgCdnRewrites = true;

# Enable HSTS from within MediaWiki (optional – already set by web‑server)
$wgStrictTransportSecurity = true; // requires MediaWiki 1.35+

# Ensure the “prefer HTTPS” user preference works correctly
$wgSecureLogin = true;

After editing, clear the cache so that the new settings take effect:

php maintenance/run.php purgeAll

4. Additional Hardening

HSTS preload: Once you are confident the site works over HTTPS only, submit the domain to hstspreload.org to have browsers enforce HTTPS even before the first request.
OCSP stapling is already enabled in the server blocks above – it reduces latency for certificate revocation checks.
Security testing: Use Qualys SSL Labs to scan the wiki. Aim for an “A+” rating – disable weak ciphers, enable TLS 1.3, and keep the certificate chain up‑to‑date.

Automatic renewal: Certbot creates a systemd timer that runs twice daily. Verify it works:

sudo systemctl list-timers | grep certbot

You can also test a dry‑run:

sudo certbot renew --dry-run

5. Common Pitfalls

Issue	Cause	Fix
Login form posts to http	$wgServer still uses http or $wgForceHTTPS missing	Set $wgServer to an https URL and enable $wgForceHTTPS.
Mixed‑content warnings in the browser	Static assets (CSS/JS) referenced with absolute http URLs	Use protocol‑relative URLs or update $wgResourceBasePath to point to https.
Redirect loop	Both the web server and MediaWiki try to force HTTPS	Leave the redirect to the web server; keep $wgForceHTTPS = true (it only adds the secure flag).
Certificate not renewed	Certbot not installed from the distro repository or timer disabled	Install `certbot` from the official repo and enable `systemctl enable --now certbot.timer`.

6. Summary Checklist

Install certbot and obtain a Let’s Encrypt certificate.
Configure Apache/Nginx to use the certificate and redirect port 80 → 443.
Add MediaWiki settings: $wgForceHTTPS, $wgServer, $wgCookieSecure, optional $wgStrictTransportSecurity.
Enable HSTS, OCSP stapling, and strong TLS ciphers.
Verify with SSL Labs and test login, edit and file‑upload flows.
Confirm automatic renewal works and schedule a periodic check.

With these steps your MediaWiki installation will be protected against eavesdropping, session hijacking and many common web‑based attacks – all while using a free, automatically‑renewed Let’s Encrypt certificate.