Why ConfirmEdit is a Must‑Have Extension on Every Wiki

Running a public MediaWiki installation means you constantly battle automated spam, credential‑stuffing attacks and low‑quality edits. While MediaWiki ships with basic anti‑spam filters, they are not enough to stop bots that can programmatically submit forms. The ConfirmEdit extension adds a flexible CAPTCHA layer that can be applied to any user action – from page edits to account creation – and it integrates cleanly with MediaWiki’s permission system.

Key Reasons to Install ConfirmEdit

1. Spam mitigation at the source: By presenting a challenge before a write operation, you force bots to solve a puzzle they cannot reliably automate.
2. Granular trigger control: You can enable CAPTCHAs for specific actions (edit, createaccount, addurl, etc.) and even limit them to particular namespaces.
3. Per‑group exemptions: Trusted users (autoconfirmed, bots, sysops) can be granted the skipcaptcha right, keeping the workflow smooth for legitimate editors.
4. Multiple CAPTCHA back‑ends: Choose from lightweight math challenges, text‑based question‑answer (QuestyCaptcha), or industry‑standard services like reCAPTCHA, hCaptcha or Cloudflare Turnstile.
5. Low maintenance: The extension is bundled with MediaWiki 1.18+, so no extra download is required – only a few lines in LocalSettings.php.

Choosing the Right CAPTCHA Module

Each module has a different security‑vs‑usability profile:

Module	Strength	Accessibility	Typical Use‑case
QuestyCaptcha	Very high (questions can be custom‑crafted)	Excellent – plain text, screen‑reader friendly	Wikis with knowledgeable community; can rotate questions regularly.
ReCaptchaNoCaptcha	High (Google risk analysis)	Good – invisible challenge for most users	High‑traffic public wikis where you trust Google’s service.
hCaptcha	High (privacy‑focused alternative)	Good – similar to reCAPTCHA	Sites that prefer non‑Google providers.
Turnstile	Very high (Cloudflare heuristic)	Excellent – no visual puzzle for most users	Wikis already using Cloudflare or wanting zero‑friction UI.
SimpleCaptcha	Low (easy math)	Excellent	Legacy wikis or testing environments.

Minimal Configuration Example

The following snippet enables QuestyCaptcha for account creation and URL‑adding, while allowing autoconfirmed users to skip CAPTCHAs.

wfLoadExtensions([ 'ConfirmEdit', 'ConfirmEdit/QuestyCaptcha' ]);

$wgCaptchaClass = 'QuestyCaptcha';

// Define a small pool of questions – rotate them regularly!
$wgCaptchaQuestions = [
    'What is the capital of France?' => 'Paris',
    'How many letters are in the word "wiki"?' => [4, 'four'],
    'Enter the site name:' => $wgSitename,
];

// Triggers – only on account creation and when a new URL is added.
$wgCaptchaTriggers = [
    'createaccount' => true,
    'addurl'       => true,
];

// Trusted groups that never see a CAPTCHA.
$wgGroupPermissions['autoconfirmed']['skipcaptcha'] = true;
$wgGroupPermissions['bot']['skipcaptcha'] = true;
$wgGroupPermissions['sysop']['skipcaptcha'] = true;

Advanced Tips

• Whitelist URLs: Populate MediaWiki:Captcha‑addurl‑whitelist with regexes to allow trusted domains (e.g., YouTube, GitHub) without triggering a CAPTCHA.
• Emergency mode: In a sudden spam burst, set $wmgEmergencyCaptcha = true (or edit CommonSettings.php) to force CAPTCHAs on all edits.

Rate‑limiting bad logins: Set $wgCaptchaBadLoginAttempts and $wgCaptchaBadLoginExpiration to throttle password‑guessing attacks.

$wgCaptchaBadLoginAttempts = 3; // after 3 failures
$wgCaptchaBadLoginExpiration = 300; // 5 minutes

Namespace‑specific rules: Use $wgCaptchaTriggersOnNamespace to make Talk pages CAPTCHA‑free while protecting Project pages.

$wgCaptchaTriggersOnNamespace[NS_TALK]['addurl'] = false;
$wgCaptchaTriggersOnNamespace[NS_PROJECT]['edit'] = true;

Testing Your Setup

After adding the configuration, visit Special:Version to verify the extension loads. Then try the following actions as an anonymous user:

1. Edit a page that contains a new external link – you should see the CAPTCHA.
2. Attempt to create a new account – the same challenge appears.
3. Log in as a user with skipcaptcha permission and repeat the steps – no CAPTCHA should appear.

If any trigger fails, check the debug log ($wgDebugLogFile) for messages from ConfirmEdit.

Conclusion

ConfirmEdit offers a modular, battle‑tested defense against automated abuse while keeping the legitimate editing experience fast and accessible. Its ability to mix lightweight local challenges with world‑class services means you can start with a simple configuration and evolve it as traffic grows. For any public or semi‑public MediaWiki installation, installing ConfirmEdit is no longer an optional nice‑to‑have—it’s a fundamental part of a secure wiki ecosystem.

Ready to protect your wiki? Add the few lines above to LocalSettings.php and watch the spam drop.