Access Mediawiki RSS Recent Changes on a private wiki without authentication

The most simple solution would be to add Special:Recentchanges to the $wgWhitelistRead config variable, this does however give the whole world access to that page. Below is an alternative solution that add some additional security.

// Simple wrapper script to allow access to MediaWiki Recent changes without authentication.
// Only a SECRET is used to add some kind of additional security. Set variable $secret = "" below to disable it.
// REST library , may be better ones out there.
// INSTALL NOTE: You need to chmod cookies.tmp file which the library uses so the webserver user can write to it.
require_once( 'mediawikiapi.php' );
// NOTE: I needed to add trim($data) in mediawikiapi.php everywhere where simplexml_load_string was used to work with mediawiki.
// Custom additions to above lib:
function getFeedRecentChanges($days, $limit) {
        $url  = $this->siteUrl . "/api.php?days=$days&limit=$limit&action=feedrecentchanges&feedformat=atom";
        $data = httpRequest($url, $params = '');
        $xml  = simplexml_load_string(trim($data));
        return $xml;
// Config - PS: HTTPS is recommended
$mediawikiurl = "https://my-mediawiki/api.php";
// API Login credentials, create this mediawiki user.
// You could get this info from the querystring as well and skip the secret (?user=myuser&pass=mypw) but note that your webserver access logs will display all user passwords in clear text if you do so!!!
$username = "rss";
$password = 'ThisIsMySecretPassword';
// Primitive authentication - The secret that needs to be passed by querystring to access the page rss.php
// rss.php?secret=blahablaha
$secret = "c5f63b6039e347a5899c8b3cc5e45966";
if ($_GET['secret'] != $secret) {
  die("Secret is incorrect!");
if (isset($_GET['days'])) {
  $days = $_GET['days'];
} else {
  $days = "7";
if (isset($_GET['limit'])) {
  $limit = $_GET['limit'];
} else {
  $limit = "50";
$api = new MediaWikiApi($mediawikiurl);
$api->login($username, $password);
$xml = $api->getFeedRecentChanges($days, $limit);
header("Content-Type: application/xml");
# For some additional security you can clear the summary/author fields which may contain sensitive information - uncomment these rows.
foreach ($xml->entry as $entry) {
  $entry->summary = "Summary has been stripped for security reasons ...";
  $entry->author = "";
print $xml->asXML();

Leave a Reply

Your email address will not be published. Required fields are marked *