XWiki is both a collaboration platform and an extensible scripting environment. Hardening must cover rights delegation, script execution boundaries, and extension trust.
¶ 1) Protect privileged accounts and rights model
- Set a strong
superadmin password and store it securely.
- Review group rights inheritance to avoid unintended
Admin or Programming rights.
- Minimize the number of users with
Programming right.
- Require MFA and SSO integration for admin accounts where possible.
¶ 2) Restrict scripting and extension attack surface
- Allow only trusted maintainers to install extensions.
- Review extension provenance before installation.
- Disable or tightly control script macros in untrusted spaces.
- Keep Groovy/Velocity script usage limited to audited pages.
- Use HTTPS and security headers at reverse proxy.
- Keep database and Solr/auxiliary services private.
- Patch XWiki and Java runtime regularly.
- Audit logs for permission changes, extension installs, and failed logins.
- XWiki security policy: https://www.xwiki.org/xwiki/bin/view/Main/SecurityPolicy
- XWiki hardening and admin docs: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/
- XWiki source repository: https://github.com/xwiki/xwiki-platform
Any questions?
Feel free to contact us. Find all contact information on our contact page.