Page MenuHomePhabricator
Create Task
Maniphest T405565

Throttle temporary account creation
Closed, ResolvedPublic
Actions

Description

Motivation

Temporary accounts can be abused by bad actors who repeatedly delete their cookies to generate new temporary accounts. Under the current rules this can be done a maximum of 6 times per day after which they will have to wait for 24 hours.
This task is to make it harder for bad actors to do this.

Acceptance criteria
  • Introduce a rate limit that works on a shorter interval (e.g. 10-minute cool off period between repeated temporary account creations, or 1 temporary account creation per 4 hours)
    • This should not impact registered account creations.

Mock
TBD

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add a short-term rate limit to temp account creationmediawiki/corewmf/1.45.0-wmf.22+37 -7
Add a short-term rate limit to temp account creationmediawiki/coremaster+37 -9
Customize query in gerrit

Related Objects
Search...

Event Timeline

Niharika created this task.Sep 25 2025, 10:40 AM
Niharika triaged this task as Medium priority.
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptSep 25 2025, 10:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tchanders updated the task description. (Show Details)Oct 6 2025, 7:29 PM
Niharika moved this task from Inbox to Global wiki rollout on the Temporary accounts board.Oct 8 2025, 10:11 AM
Niharika edited projects, added Temporary accounts (Global wiki rollout); removed Temporary accounts.
OKryva-WMF added a project: Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)).Oct 8 2025, 2:19 PM
OKryva-WMF moved this task from Priority backlog to Ready on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.
sgrabarczuk subscribed.Oct 8 2025, 6:15 PM
STran claimed this task.Oct 9 2025, 9:40 AM
STran moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.
gerritbot added a comment.Oct 9 2025, 10:37 AM

Change #1194904 had a related patch set uploaded (by STran; author: STran):

[mediawiki/core@master] Add a short-term rate limit to temp account creation

https://gerrit.wikimedia.org/r/1194904

gerritbot added a project: Patch-For-Review.Oct 9 2025, 10:37 AM
STran moved this task from To triage to In progress on the Temporary accounts (Global wiki rollout) board.Oct 9 2025, 11:19 AM
STran moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 9 2025, 12:04 PM
kostajh mentioned this in T357802: Design & Copy: Prompt user to create a regular account after temp account creation rate limit trip.Oct 10 2025, 8:44 AM
OKryva-WMF removed a project: Trust and Safety Product Team.Oct 10 2025, 10:02 AM
gerritbot added a comment.Oct 10 2025, 11:00 AM

Change #1194904 merged by jenkins-bot:

[mediawiki/core@master] Add a short-term rate limit to temp account creation

https://gerrit.wikimedia.org/r/1194904

Maintenance_bot removed a project: Patch-For-Review.Oct 10 2025, 11:32 AM
Titore subscribed.Oct 10 2025, 11:41 AM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 10 2025, 12:00 PM
gerritbot added a comment.Oct 12 2025, 8:47 AM

Change #1195399 had a related patch set uploaded (by Kosta Harlan; author: STran):

[mediawiki/core@wmf/1.45.0-wmf.22] Add a short-term rate limit to temp account creation

https://gerrit.wikimedia.org/r/1195399

gerritbot added a project: Patch-For-Review.Oct 12 2025, 8:47 AM
gerritbot added a comment.Oct 13 2025, 8:33 AM

Change #1195399 merged by jenkins-bot:

[mediawiki/core@wmf/1.45.0-wmf.22] Add a short-term rate limit to temp account creation

https://gerrit.wikimedia.org/r/1195399

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.22; 2025-10-07); removed MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 13 2025, 9:00 AM
Maintenance_bot removed a project: Patch-For-Review.Oct 13 2025, 9:31 AM
Johannnes89 subscribed.Oct 13 2025, 1:04 PM
sgrabarczuk added a parent task: T357776: [Epic] Mitigate abilities to abuse temporary accounts.Oct 13 2025, 2:25 PM
kostajh moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 14 2025, 11:52 AM
Niharika mentioned this in T407246: Update block message to clarify duration.Oct 14 2025, 3:03 PM
Niharika mentioned this in T398673: Unregistered editors on blocked ranges need a way to interact on-wiki to appeal a block.Oct 15 2025, 10:05 AM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)); removed Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)).Oct 17 2025, 1:47 PM
OKryva-WMF moved this task from Backlog to Needs QA on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Oct 17 2025, 1:48 PM
Novem_Linguae awarded a token.Oct 18 2025, 2:50 AM
Novem_Linguae subscribed.
Djackson-ctr moved this task from Needs QA to Done on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.EditedOct 31 2025, 11:40 PM
Djackson-ctr subscribed.

New Code Changes for 10 minute short-term rate limit has been implemented and verified, and the existing code for maximum of 6 temporary account creations per day is still intact.

Johannnes89 added a comment.Nov 4 2025, 5:26 PM
In T405565#11332711, @Djackson-ctr wrote:

New Code Changes for 10 minute short-term rate limit has been implemented and verified, and the existing code for maximum of 6 temporary account creations per day is still intact.

This should be documented in https://www.mediawiki.org/wiki/Manual:$wgTempAccountCreationThrottle

Niharika added a comment.Nov 7 2025, 10:25 AM
In T405565#11341255, @Johannnes89 wrote:
In T405565#11332711, @Djackson-ctr wrote:

New Code Changes for 10 minute short-term rate limit has been implemented and verified, and the existing code for maximum of 6 temporary account creations per day is still intact.

This should be documented in https://www.mediawiki.org/wiki/Manual:$wgTempAccountCreationThrottle

Good catch. @STran can you please do this?

STran closed this task as Resolved.Nov 7 2025, 4:27 PM

Done

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits