Gov/en/Portal:Trust-Safety/Vandalism-Prevention
💡 In simple words: Some people try to break or mess up shared pages on purpose. This page explains the tricks WikiDeal uses to stop that and quickly fix any damage.
⚠️ Not yet approved. This page describes a proposal that is still under community review. It is documented here so it can be discussed, improved and endorsed.
Vandalism Prevention — Audit & Live Pentest
Pre-migration security review of wikideal.net (MediaWiki 1.43.0). Includes a live, authorized penetration test run on 2026-06-13 (test accounts cleaned up / blocked afterwards).
1. Live Pentest Results (2026-06-13)
| Test | Result | Detail |
|---|---|---|
| Anonymous editing rights | EXPOSED | Group * has edit, createpage, createtalk — contradicts the published doctrine "anonymous editing not allowed". |
| Anonymous edit attempt | BLOCKED | Stopped by $wgEmailConfirmToEdit ("confirm your email before editing"). |
| Automated account creation (no captcha) | BLOCKED | "Incorrect or missing CAPTCHA". |
| QuestyCaptcha cracking | BYPASSED | Static questions e.g. "What is the part after 'Wiki' in the name of this project?" → answer Deal. Account created automatically (STATUS: PASS). |
| Edit after account creation | BLOCKED | Still requires confirmed email before editing. |
⚠️ Critical finding: the QuestyCaptcha is trivially solvable by an AI (static, low number of questions, answers derived from the project name). Mass account creation is feasible. The only effective wall today is email-confirmation-to-edit — which falls if disposable-email confirmation is automated.
2. Existing Defences
| Mechanism | Role | Status |
|---|---|---|
| Email-confirm-to-edit | Blocks edits until email confirmed | ACTIVE — main wall |
| QuestyCaptcha (ConfirmEdit) | Anti-bot at account creation | WEAK — AI-solvable |
| Rings of Trust (coef 1-10) | Graduated trust | Conceptual |
| Reputation Management | Rating + moderation algorithm | Conceptual |
| Court of Auditors / Arbitration / Whistleblower | Governance recourse | Conceptual |
| Content Versioning + Approval | History + participatory approval | Conceptual |
3. Recommendations Before Migration
HIGH
- Replace QuestyCaptcha with a stronger captcha (hCaptcha / Turnstile / reCAPTCHA v3) or a rotating, non-derivable question pool.
- Install AbuseFilter + enforce rate-limiting ($wgRateLimits) on account creation and edits.
- Enable FlaggedRevisions on sensitive namespaces (WikiDeal: rules, Contract-Validated:): nothing public without editor/lawyer approval.
- Align doctrine and config: if anonymous editing is truly forbidden, remove edit/createpage from group * (do not rely only on email-confirm).
- Semi-protect immutable rules (4 Concepts, bonding-curve, governance).
MEDIUM
- RecentChanges patrol queue; tie autopatrol to Rings of Trust (coef ≥ threshold).
- CheckUser for sock-puppet investigation; clear blocking policy.
- Disposable-email hardening (block throwaway domains) so email-confirm stays meaningful.
Bottom line: the foundation (email-confirm-to-edit) holds for now, but the anti-bot layer (QuestyCaptcha) is broken and the anonymous-rights config contradicts the doctrine. These should be fixed before opening the wiki to public migration.