We recently installed WikiMedia 1.25. Around the same time, a sister project added a wiki. Both projects failed to enable wgSecureLogin and wgCookieSecure, and plain text passwords were used in subsequent logins.
According to documentation, the wiki installer is supposed to make a copy of DefaultSettings.php and provide them LocalSettings.php. We can edit LocalSettings.php, but we are not supposed to modify DefaultSettings.php (https://www.mediawiki.org/wiki/Manual:Configuration_Settings and https://www.mediawiki.org/wiki/Manual:LocalSettings.php).
However, LocalSettings.php did not have wgSecureLogin, wgCookieHttpOnly and wgCookieSecure configuration settings that were present in DefaultSettings.php.
I can't help but feel if the installer copied the settings, then it would have alerted me (and the sister project's administrator) to tune the configuration. In their absence, I (and the sister project's administrator) incorrectly assumed MediaWiki did the right thing and had a secure default.
To be clear, folks who run an HTTPS server expect something like the following to be secure and consistent with best practices:
$wgSecureLogin = true; $wgCookieHttpOnly = true; $wgCookieSecure = detect;
It would probably be a very good idea to ensure wgSecureLogin, wgCookieHttpOnly and wgCookieSecure are present in LocalSetttings.php created in the field, with appropriate comments stating when to change wgSecureLogin = false to wgSecureLogin = true.