A vanilla MediaWiki install allows anonymous users to create pages and talk pages without any restrictions or rate limiting, while registered users are instantly promoted to autoconfirmed status because $wgAutoConfirmAge and $wgAutoConfirmCount both default to 0. There are no restrictions, rate limits, blacklists, or even CAPTCHAs for new or anonymous users to insert external links, create pages. or complete any other action. I can go find a fresh vanilla install right now via any search engine and begin creating thousands of pages containing a backlink to my website or some malicious URL - all without any difficulty.
The bundled anti-spam extensions include ConfirmEdit, Nuke, SpamBlacklist, and TitleBlacklist. Of those, ConfirmEdit seems to be the only one which can effectively prevent spam without too much hassle. Yet the default CAPTCHA is trivially bypassable. There's no easy built-in way to find a spammer's IP or implement regular expression filters - users have to go and install CheckUser and AbuseFilter themselves.
There are bots for sale which are designed specifically for spamming MediaWiki, and several Fiverr gigs offer thousands of MediaWiki backlinks for $5. All of that spam is possible because sysadmins aren't installing and using anti-spam extensions and because the default settings grant too much trust to new users.
MediaWiki spam is not just a problem for the people running spammed installs, but rather for sysadmins of other websites too. I've seen a large number of cases where the spammer submits a link to a MediaWiki site as a means to hide the real target of the spam link. They'd spam for innocentSpammedWebsite.com on my website while innocentSpammedWebsite.com contains a link to the actual destination they wanted to spam. My domain blacklists didn't contain innocentSpammedWebsite.com, but had actualTarget.com instead.
Can stricter default settings be considered to protect the wider Internet community from shady blackhat SEO spammers abusing MediaWiki? Spam is an increasing problem on the Internet, and MediaWiki's open nature makes it an ideal target for spammers.
- Bundle common anti-spam extensions with the standard MediaWiki release
- T194746: Bundle StopForumSpam extension with the next MediaWiki release (block IPs blacklisted at stopforumspam.com)
- T173113: Integrate AbsenteeLandlord into core (automatic lockdown after a period of sysop inactivity)
- T191740: Bundle AbuseFilter extension with MediaWiki - also, include recommended filters based on common spammed keywords and link insertions
- Improve the defaults for core and already bundled antispam extensions (which are: ConfirmEdit, Nuke, SpamBlacklist, TitleBlacklist)
- Disallow anonymous users and new users from creating pages and talk pages containing external links.
- Make QuestyCaptcha the default CAPTCHA and have sysadmins type out a question and answer pair during the initial setup. A CAPTCHA itself can be optional, but guiding sysadmins to QuestyCaptcha should reduce a lot of spam.