MediaWiki 1.40

MediaWiki 1.40 is a legacy release of MediaWiki. Consult the RELEASE NOTES file for the full list of changes. It was deployed on Wikimedia Foundation wikis through incremental "wmf"-branches between September 2022 and March 2023. The 1.40.0 stable release came out in June 2023. Download mediawiki-1.40.3.tar.gz or checkout the REL1_40 branch in Git to follow this release.

Important changes

  • The RenameUser extension has been merged into MediaWiki core. If you have it installed, you should deactivate it in LocalSettings.php and uninstall it.

Other changes


Some specific notes for MediaWiki 1.40 upgrades are below:

  • Maintenance scripts should now be executed using maintenance/run.php, e.g. maintenance/run.php update not maintenance/update.php as before.
  • Five extensions have now been bundled with MediaWiki:
    • The DiscussionTools extension, which provides a forum-like editing experience for wikitext-based discussion pages.
    • The Echo extension, which provides a system of user notifications.
    • The Linter extension, which warns about use of deprecated wikitext.
    • The LoginNotify extension, which warns users about failed attempted logins.
    • The Thanks extension, which lets users thank editors for edits.
  • The Renameuser extension has been moved to MediaWiki core. It is now possible to rename users without installing an extension. The extension had already been bundled with MediaWiki since 1.18.

For notes on 1.39.x and older releases, see HISTORY.

Configuration changes for system administrators in 1.40

  • When computing PBKDF2 password hashes, MediaWiki now detects and uses OpenSSL support if available, unless $wgPasswordConfig['pbkdf2']['class'] is set in LocalSettings.php. OpenSSL is more efficient, so if that setting is present, you should remove it (or set it to 'Pbkdf2PasswordUsingOpenSSL' if possible). If users get an internal error when trying to log in, you can try setting it to 'Pbkdf2PasswordUsingHashExtension'. In particular, this would be necessary if existing PBKDF2 password hashes were computed using a hash algorithm other than "sha512" or "sha256" (the current and prior defaults).
  • You should configure your webserver to return the http header 'X-Content-Type-Options: nosniff' for the /images directory. This will instruct browsers to not apply content sniffing when accessing the files. MediaWiki before 1.40 shipped with a content sniffer which disallowed potentially dangerous files at upload time, but this protection has now been removed in favor of this 'X-Content-Type-Options: nosniff' header and the installer will return a warning when it is not in place.
  • Support for MW_USE_LEGACY_DEFAULT_SETTINGS has been removed, setting this constant will not have any effect. Use of MW_USE_LEGACY_DEFAULT_SETTINGS had been deprecated since 1.39.

New configuration

  • $wgThumbnailNamespaces - This setting lets you define the namespaces for which image thumbnails (or a placeholder in the absence of a thumbnail) will be displayed on Special:Search.
  • $wgResourceLoaderClientPreferences – This experimental flag lets you enable client-side preferences for logged-out users.
  • $wgExternalLinksSchemaMigrationStage – This temporary flag lets you control the migration stage for the new schema for the external links database table. Ignore it unless you have a large wiki farm with complex migration needs.
  • $wgCommentTempTableSchemaMigrationStage – This temporary flag lets you control the migration stage for the temporary comment database table, from revision. Ignore it unless you have a large wiki farm with complex migration needs.
  • $wgSpecialContributeSkinsEnabled – This setting lets you list skins on which Special:Contribute is available, for where others don't work for the feature.
  • $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively.

Changed configuration

  • $wgPasswordPolicy – This setting, which controls what makes for a valid password for wiki accounts, has been adjusted to raise the minimal password length from 1 to 8 characters. The initial limit of 1 has been in place since MediaWiki 1.26. If you wish to allow shorter passwords, you can over-ride it in your LocalSettings following the guidance on
  • (task T254045) New accounts can no longer use an equals sign (=) in their usernames because of issues it causes in wikitext syntax. This can be adjusted by changing the value of $wgInvalidUsernameCharacters .
  • (task T314318) $wgParserEnableLegacyMediaDOM – This setting has been changed, so the alternative modern HTML structure for media is now the default. You can disable it for now by over-riding this back to `true` in LocalSettings, but this configuration will be removed in future versions of MediaWiki. For more details, see the documentation at:
  • $wgWatchlistExpiryMaxDuration – This setting, which controls the maximum allowed duration for users to set their temporary watchlist entries for expiry if that feature is enabled, has been increased from 6 months to 1 year.

Removed configuration

  • $wgShellboxUrl – This setting, deprecated in 1.37, has now been removed; use $wgShellboxUrls instead.
  • $wgMainWANCache and $wgWANObjectCaches – These never-used settings have been removed. To inject WANObjectCache parameters, use $wgWANObjectCache instead. These variables were introduced for multi-DC wiki farms to add a separate memcached proxy for cross-DC relaying of purges but never used because WANObjectCache works based on route prefixes, which can be transparently handled by the main memcached proxy.
  • $wgParserTestFiles – This setting, deprecated in 1.30, has now been removed; extensions can place their parser test files in `tests/parser` instead.
  • (task T231412) $wgAutoloadAttemptLowercase – This setting, deprecated in 1.35, no longer has any effect. If you run into difficulties, fix the names of miscased local files.
  • (task T309787) $wgVerifyMimeTypeIE – This setting, to provide extra security checks for very old versions of Internet Explorer clients, was removed. These user agents aren't used in practice, and haven't been served JavaScript content for years.

New user-facing features in 1.40

  • Special:Search can now show thumbnails for results for titles outside NS_FILE. This is controlled via the new onSearchResultProvideThumbnail hook.
  • A new preference ('search-thumbnail-extra-namespaces') to allow users to control whether to show more thumbnails (per $wgThumbnailNamespaces )
  • (task T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot=<role-name> query parameters.
  • (task T313804) The preferences page now provides a search bar to find preferences, regardless of the tab on which they appear.

New developer features in 1.40

  • The MediaWiki-Docker development environment is now configured to run on PHP 8.1 by default, up from PHP 7.4 now that that's EOL.
  • Vue development mode is enabled by default in DevelopmentSettings.php
  • (task T277618) The @noVarDump annotation from the DebugInfoTrait tool can now be added to references to stop them from being expanded when their object is passed to var_dump(), to make its use for debugging more feasible.
  • The ApiSandbox will now by default request responses in the latest API format, rather than the original format. Users can set `formatversion` to a different value if needed.
  • A new hook, GetBlockErrorMessageKeyHook, allows extensions' block error messages to be received and displayed by BlockErrorFormatter.
  • A new hook, SpecialCreateAccountBenefits, lets extensions and local code set custom content on the signup page about the benefits of using an account.
  • (task T321412) A new 'PageUndeleteComplete' hook has been added for more thorough information about a page post restoration than the 'PageUndelete' hook passes. This provides similar functionality to the 'PageDeleteComplete' hook.
  • The Linker::specialLink() method can now link to a Special page's with a sub-page or action parameter set, e.g. Special:Contributions/JohnDoe.
  • The PHPUnit entrypoints (tests/phpunit/phpunit.php and vendor/bin/phpunit) now check if composer dependencies are up-to-date, like update.php, using CheckComposerLockUpToDate. To disable this check, use MW_SKIP_EXTERNAL_DEPENDENCIES=1 environment flag when running PHPUnit.
  • ManualLogEntry::setForceBotFlag() has been added to allow the forcing of the bot flag for log entries which are inserted to the recent changes.

Action API changes in 1.40

  • New `cancreateaccount` parameter on action=query&meta=userinfo that allows you to check if the user can create an account. Some of the errors that have previously been returned by action=query&list=users&usprop=cancreate are now returned here.

Languages updated in 1.40


MediaWiki supports over 400 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

See also