Skip to Content
Last modified by Agnease on 2026/06/08 18:44
From version 1.3
edited by Agnease
on 2026/05/26 07:46
Change comment: There is no comment for this version
To version 3.7
edited by Agnease
on 2026/06/08 18:19
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -32,6 +32,7 @@
32 32   <li><a href="#security-checklist">Security checklist</a></li>
33 33   <li><a href="#review-output">What the review should produce</a></li>
34 34   <li><a href="#when-to-review">When to run a review</a></li>
35 + <li><a href="#security-review-faq">FAQ</a></li>
35 35   </ul>
36 36   </aside>
37 37  
... ... @@ -51,6 +51,21 @@
51 51  
52 52   <div class="resource-note">
53 53   <p>
55 + <strong>In practice:</strong> an XWiki security review should evaluate the XWiki version,
56 + access rights, authentication setup, installed extensions, custom code, infrastructure,
57 + backups, restore expectations and the operational practices used to maintain the instance.
58 + </p>
59 + </div>
60 +
61 + <p>
62 + An XWiki security review is a structured assessment of the wiki platform, its configuration,
63 + access model, authentication mechanisms, extensions, customizations and operational setup.
64 + The goal is to identify risks, maintenance weaknesses and upgrade blockers before they affect
65 + users or business-critical content.
66 + </p>
67 +
68 + <div class="resource-note">
69 + <p>
54 54   <strong>The main point:</strong> an XWiki security review should not only check whether the application
55 55   is online. It should evaluate the platform, the access model and the operational practices around it.
56 56   </p>
... ... @@ -88,6 +88,11 @@
88 88   A repeatable upgrade process is part of the security posture of a long-running XWiki instance.
89 89   </p>
90 90  
107 + <p>
108 + For more details on upgrade planning, see
109 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
110 + </p>
111 +
91 91   <h3>2. Access rights and permission model</h3>
92 92   <p>
93 93   XWiki has a powerful access-rights system, but this flexibility needs a clear governance model. A review
... ... @@ -101,6 +101,13 @@
101 101   of small exceptions that nobody reviewed later.
102 102   </p>
103 103  
125 + <p>
126 + For a deeper look at this topic, see
127 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>.
128 + For a practical starting point, see
129 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">how to start an XWiki access-rights review</a>.
130 + </p>
131 +
104 104   <h3>3. Authentication and identity management</h3>
105 105   <p>
106 106   Authentication should be reviewed beyond the simple question of whether users can log in. LDAP, Active
... ... @@ -125,6 +125,11 @@
125 125   discovered accidentally during an incident or a production upgrade.
126 126   </p>
127 127  
156 + <p>
157 + Customizations should also be reviewed from a maintenance perspective. See
158 + <a href="$xwiki.getURL('resources.xwiki-custom-development')">how to keep XWiki custom development maintainable across upgrades</a>.
159 + </p>
160 +
128 128   <h3>5. Configuration, infrastructure and operations</h3>
129 129   <p>
130 130   The review should also cover the environment around XWiki: HTTPS and reverse proxy configuration, database
... ... @@ -137,8 +137,22 @@
137 137   knows what is included, how long recovery would take or whether the restore process has ever been tested.
138 138   </p>
139 139  
140 - <h2 id="security-checklist">Practical XWiki security review checklist</h2>
173 + <div class="resource-inline-cta">
174 + <p>
175 + <strong>Need a clearer view of your XWiki security posture?</strong>
176 + A structured review can check versions, access rights, authentication,
177 + extensions, custom code, infrastructure, backups and operational practices.
178 + </p>
179 + <a class="btn btn-secondary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
180 + </div>
141 141  
182 + <h2 id="security-checklist">XWiki security review checklist</h2>
183 +
184 + <p>
185 + A practical XWiki security review should cover both application-level and operational risks.
186 + The following checklist can be used as a starting point when reviewing a production instance.
187 + </p>
188 +
142 142   <ul class="resource-checklist">
143 143   <li>Check the current XWiki version, target version and upgrade path.</li>
144 144   <li>Review installed extensions, outdated components and unsupported customizations.</li>
... ... @@ -155,7 +155,7 @@
155 155   <h2 id="review-output">What the review should produce</h2>
156 156  
157 157   <p>
158 - A useful security review should not only produce a list of problems. It should produce a practical action
205 + A useful security review should not only produce a list of detected problems. It should produce a practical action
159 159   plan. Each finding should explain the risk, the affected area, the recommended action and the priority.
160 160   </p>
161 161  
... ... @@ -165,6 +165,14 @@
165 165   reviewing extensions or preparing the next upgrade.
166 166   </p>
167 167  
215 + <div class="resource-note">
216 + <p>
217 + <strong>A useful review should separate findings by priority:</strong> immediate risks,
218 + planned remediation, maintenance improvements and documentation gaps. This makes the result
219 + easier to act on instead of producing a generic list of observations.
220 + </p>
221 + </div>
222 +
168 168   <p>
169 169   The best outcome is a clearer, safer and more maintainable XWiki instance: one where administrators
170 170   understand the access model, critical features are documented and future upgrades can be planned with
... ... @@ -186,13 +186,70 @@
186 186  
187 187   <div class="resource-note">
188 188   <p>
189 - Related resources:
190 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>
244 + <strong>Security review series:</strong>
245 + this article is the main overview. You can also read
246 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>
191 191   and
192 - <a href="$xwiki.getURL('resources.xwiki-custom-development')">how to keep XWiki custom development maintainable across upgrades</a>.
248 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">how to start an XWiki access-rights review</a>.
249 + Future topics will cover authentication and access control, script and programming rights, backup validation,
250 + extension review and operational practices.
193 193   </p>
194 194   </div>
195 195  
254 + <h2 id="security-review-faq">XWiki security review FAQ</h2>
255 +
256 + <h3>What should an XWiki security review include?</h3>
257 + <p>
258 + An XWiki security review should include the installed XWiki version, upgrade path,
259 + access rights, groups, authentication setup, installed extensions, custom code,
260 + infrastructure, backups, restore expectations and operational procedures.
261 + </p>
262 +
263 + <h3>Is an updated XWiki instance automatically secure?</h3>
264 + <p>
265 + No. Updating XWiki is important, but security also depends on permissions,
266 + authentication, extensions, custom code, infrastructure configuration, backups
267 + and how the instance is maintained.
268 + </p>
269 +
270 + <h3>Does SSO solve XWiki access control?</h3>
271 + <p>
272 + No. SSO helps authenticate users, but access control still depends on XWiki groups,
273 + inherited permissions, page-level rights and administrative privileges.
274 + </p>
275 +
276 + <h3>Why should custom code be reviewed?</h3>
277 + <p>
278 + Custom scripts, templates, macros, UI extensions and Java components can affect
279 + permissions, workflows, rendering, integrations and upgrade behavior. They should
280 + be identified, documented and tested.
281 + </p>
282 +
283 + <h3>When should an XWiki security review be done?</h3>
284 + <p>
285 + A review is useful before a major upgrade, after years of organic growth, after
286 + authentication changes, before exposing the wiki more broadly, or when the instance
287 + becomes business-critical.
288 + </p>
289 +
290 + <div class="resource-note related-resources">
291 + <p><strong>Related resources:</strong></p>
292 + <ul>
293 + <li>
294 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
295 + </li>
296 + <li>
297 + <a href="$xwiki.getURL('resources.xwiki-access-rights-review')">How to start an XWiki access-rights review</a>
298 + </li>
299 + <li>
300 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">Why regular XWiki upgrades matter</a>
301 + </li>
302 + <li>
303 + <a href="$xwiki.getURL('resources.xwiki-custom-development')">How to keep XWiki custom development maintainable across upgrades</a>
304 + </li>
305 + </ul>
306 + </div>
307 +
196 196   <div class="resource-cta">
197 197   <h3>Need an XWiki security review?</h3>
198 198   <p>
... ... @@ -209,5 +209,54 @@
209 209   </div>
210 210   </section>
211 211  
324 + <script type="application/ld+json">
325 + {
326 + "@context": "https://schema.org",
327 + "@type": "FAQPage",
328 + "mainEntity": [
329 + {
330 + "@type": "Question",
331 + "name": "What should an XWiki security review include?",
332 + "acceptedAnswer": {
333 + "@type": "Answer",
334 + "text": "An XWiki security review should include the installed XWiki version, upgrade path, access rights, groups, authentication setup, installed extensions, custom code, infrastructure, backups, restore expectations and operational procedures."
335 + }
336 + },
337 + {
338 + "@type": "Question",
339 + "name": "Is an updated XWiki instance automatically secure?",
340 + "acceptedAnswer": {
341 + "@type": "Answer",
342 + "text": "No. Updating XWiki is important, but security also depends on permissions, authentication, extensions, custom code, infrastructure configuration, backups and how the instance is maintained."
343 + }
344 + },
345 + {
346 + "@type": "Question",
347 + "name": "Does SSO solve XWiki access control?",
348 + "acceptedAnswer": {
349 + "@type": "Answer",
350 + "text": "No. SSO helps authenticate users, but access control still depends on XWiki groups, inherited permissions, page-level rights and administrative privileges."
351 + }
352 + },
353 + {
354 + "@type": "Question",
355 + "name": "Why should custom code be reviewed in XWiki?",
356 + "acceptedAnswer": {
357 + "@type": "Answer",
358 + "text": "Custom scripts, templates, macros, UI extensions and Java components can affect permissions, workflows, rendering, integrations and upgrade behavior. They should be identified, documented and tested."
359 + }
360 + },
361 + {
362 + "@type": "Question",
363 + "name": "When should an XWiki security review be done?",
364 + "acceptedAnswer": {
365 + "@type": "Answer",
366 + "text": "A review is useful before a major upgrade, after years of organic growth, after authentication changes, before exposing the wiki more broadly, or when the instance becomes business-critical."
367 + }
368 + }
369 + ]
370 + }
371 + </script>
372 +
212 212  {{/html}}
213 213  {{/velocity}}
xwiki-security-review.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +1.3 MB
Content
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,0 +1,1 @@
1 +Learn what an XWiki security review should include: version status, access rights, authentication, extensions, custom code, infrastructure, backups and operational practices.
metaTitle
... ... @@ -1,0 +1,1 @@
1 +What an XWiki Security Review Should Actually Include | Agnease