Security reminder: MediaWiki does not require PHP's register_globals. If you have it on, turn it off if you can.

MediaWiki 1.23

MediaWiki 1.23.17

Changes since 1.23.16

  • Fix syntax errors introduced in 1.23.16 when running PHP 5.3.

MediaWiki 1.23.16

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.15

  • (T68404) CSS3 attr() function with url type is no longer allowed in inline styles.
  • (T156184) $wgRawHtml will no longer apply to internationalization messages.
  • Submitting the lgtoken and lgpassword parameters in the query string to action=login is now deprecated and outputs a warning. They should be submitted in the POST body instead.
  • (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
  • (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
  • (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
  • (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
  • (T156184) SECURITY: Escape content model/format url parameter in message.
  • (T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
  • (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
  • (T108138) SECURITY: Sysops can undelete pages, although the page is protected against it.

MediaWiki 1.23.15

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.14

  • BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests made by MediaWiki via a proxy. Relying on the http_proxy environment variable is no longer supported.
  • (T139565) SECURITY: API: Generate head items in the context of the given title
  • (T137264) SECURITY: XSS in unclosed internal links
  • (T133147) SECURITY: Escape '<' and ']]>' in inline <style> blocks
  • (T133147) SECURITY: Require login to preview user CSS pages
  • (T132926) SECURITY: Do not allow undeleting a revision deleted file if it is the top file
  • (T129738) SECURITY: Make $wgBlockDisablesLogin also restrict logged in permissions
  • (T129738) SECURITY: Make blocks log users out if $wgBlockDisablesLogin is true
  • (T115333) SECURITY: Check read permission when loading page content in ApiParse
  • Remove support for $wgWellFormedXml = false, all output is now well formed

MediaWiki 1.23.14

This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.13

  • (T122056) Old tokens are remaining valid within a new session
  • (T127114) Login throttle can be tricked using non-canonicalized usernames
  • (T123653) Cross-domain policy regexp is too narrow
  • (T123071) Incorrectly identifying http link in a's href attributes, due to m modifier in regex
  • (T129506) MediaWiki:Gadget-popups.js isn't renderable
  • (T125283) SECURITY: Users occasionally logged in as different users after SessionManager deployment
  • (T103239) Patrol allows click catching and patrolling of any page
  • (T122807) [tracking] Check php crypto primatives
  • (T98313) Graphs can leak tokens, leading to CSRF
  • (T130947) Diff generation should use PoolCounter
  • (T133507) Careless use of $wgExternalLinkTarget is insecure
  • (T132874) API action=move is not rate limited
  • (T110143) strip markers can be used to get around html attribute escaping in (many?) parser tags
  • (T126685) Globally throttle password attempts

MediaWiki 1.23.13

This is a maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.12

  • (T121892) Fix fatal errors on some Special pages, introduced in 1.23.12.

MediaWiki 1.23.12

This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.11

  • (T117899) SECURITY: $wgArticlePath can no longer be set to relative paths that do not begin with a slash. This enabled trivial XSS attacks. Configuration values such as "$1" are fine, as are "/wiki/$1". A value such as "$1" or "wiki/$1" is not and will now throw an error.
  • (T119309) SECURITY: Use hash_compare() for edit token comparison
  • (T118032) SECURITY: Don't allow cURL to interpret POST parameters starting with '@' as file uploads
  • (T115522) SECURITY: Passwords generated by User::randomPassword() can no longer be shorter than $wgMinimalPasswordLength
  • (T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could result in improper blocks being issued
  • (T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions and related pages no longer use HTTP redirects and are now redirected by MediaWiki

MediaWiki 1.23.11

This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.10

  • (T91850) SECURITY: Add throttle check in ApiUpload and SpecialUpload
  • (T91203, T91205) SECURITY: API: Improve validation in chunked uploading
  • (T108616) SECURITY: Avoid exposure of local path in PNG thumbnails

MediaWiki 1.23.10

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.9

  • (T94116) SECURITY: Compare API watchlist token in constant time
  • (T97391) SECURITY: Escape error message strings in thumb.php
  • (T106893) SECURITY: Don't leak autoblocked IP addresses on Special:DeletedContributions
  • (bug 67644) Make AutoLoaderTest handle namespaces
  • (T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
  • (T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons.

MediaWiki 1.23.9

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.8

  • (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
  • (bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
  • (bug T88310) SECURITY: Always expand xml entities when checking SVG's.
  • (bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
  • (bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
  • (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
  • (bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.

MediaWiki 1.23.8

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.7

  • (bug T76686) [SECURITY] thumb.php outputs wikitext message as raw HTML, which could lead to xss. Permission to edit MediaWiki namespace is required to exploit this.
  • (bug T77028) [SECURITY] Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains in API calls if it only included an allowed domain as part of its name.
  • (bug T74222) The original patch for T74222 was reverted as unnecessary.

MediaWiki 1.23.7

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.6

  • (bug 66776, bug 71478) SECURITY: User PleaseStand reported a way to inject code into API clients that used format=php to process pages that underwent flash policy mangling. This was fixed along with improving how the mangling was done for format=json, and allowing sites to disable the mangling using $wgMangleFlashPolicy .
  • (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model.
  • (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario.
  • (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff.
  • (bug 71621) Make allowing site-wide styles on restricted special pages a config option.
  • (bug 42723) Added updated version history from 1.19.2 to 1.22.13
  • $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that might be a flash policy directive configurable.

MediaWiki 1.23.6

This is a maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.5

  • (bug 67440) Allow classes to be registered properly from installer
  • (bug 72274) Job queue not running (HTTP 411) due to missing Content-Length: header

MediaWiki 1.23.5

This is a security release of the MediaWiki 1.23 branch.

Changes since 1.23.4

  • (bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.

MediaWiki 1.23.4

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.3

  • (bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
  • (bug 65998) Make MySQLi work with non-standard socket.
  • (bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config settings.

MediaWiki 1.23.3

This is a maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.2

  • (bug 68501) Correctly handle incorrect namespace in cleanupTitles.php.
  • (bug 64970) Fix support for blobs on DatabaseOracle::update.
  • (bug 66574) Display MediaWiki:Loginprompt on the login page.
  • (bug 67870) wfShellExec() cuts off stdout at multiples of 8192 bytes.
  • (bug 60629) Handle invalid language code gracefully in Language::fetchLanguageNames.
  • (bug 62017) Restore the number of rows shown on Special:Watchlist.
  • Check for boolean false result from database query in SqlBagOStuff.

MediaWiki 1.23.2

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.1

  • (bug 68187) SECURITY: Prepend jsonp callback with comment.
  • (bug 66608) SECURITY: Fix for XSS issue in bug 66608: Generate the URL used for loading a new page in JavaScript, instead of relying on the URL in the link that has been clicked.
  • (bug 65778) SECURITY: Copy prevent-clickjacking between OutputPage and ParserOutput.
  • (bug 68313) Preferences: Turn stubthreshold back into a combo box.
  • (bug 65214) Fix initSiteStats.php maintenance script.
  • (bug 67594) Special:ActiveUsers: Fix to work with PostgreSQL.

MediaWiki 1.23.1

This is a security and maintenance release of the MediaWiki 1.23 branch.

Changes since 1.23.0

  • (bug 65839) SECURITY: Prevent external resources in SVG files.
  • (bug 67025) Special:Watchlist: Don't try to render empty row.
  • (bug 66922) Don't allow some E_NOTICE messages to end up in the LocalSettings.php.
  • (bug 66467) FileBackend: Avoid using popen() when "parallelize" is disabled.
  • (bug 66428) MimeMagic: Don't seek before BOF. This has weird side effects like only extracting the tail of the file partially or not at all.
  • (bug 66182) Removed -x flag on some php files.

MediaWiki 1.23

MediaWiki 1.23.0 is the stable branch and is recommended for use in production.

MediaWiki 1.23 is a large release that contains many new features and bug fixes. This is the full list of changes in this version.

Our thanks go to everyone who helped to improve MediaWiki by testing the beta release and submitting bug reports.

Configuration changes

  • (bug 13250) Restored method for clearing a watchlist in web UI so that users with large watchlists don't have to perform contortions to clear them.
  • When $wgJobRunRate is higher that zero, jobs are now executed via an asynchronous HTTP request to a MediaWiki entry point. This may require increasing the number of server worker threads. $wgRunJobsAsync has been added to disable this feature if needed, falling back to executing the job on the same process but making the execution synchronously.
  • $wgDebugLogGroups values may be set to an associative array with a 'destination' key specifying the log destination. The array may also contain a 'sample' key with a positive integer value N indicating that the log group should be sampled by dispatching one in every N messages on average. The sampling is random.
  • In addition to the current exception log format, MediaWiki now serializes exception metadata to JSON and logs it to the 'exception-json' log group. This makes MediaWiki easier to integrate with log aggregation and analysis tools.
  • $wgSquidServersNoPurge now supports the use of Classless Inter-Domain Routing (CIDR) notation to specify contiguous blocks of IPv4 and/or IPv6 addresses that should be trusted to provide X-Forwarded-For headers.
  • Preferences 'watchcreations', 'watchdefault', 'enotifwatchlistpages' ("Add pages I create and files I upload to my watchlist", "Add pages and files I edit to my watchlist", "Email me when a page or file on my watchlist is changed") are now enabled by default. In addition new user accounts' personal and talk pages are now watched by them by default.
  • $wgLBFactoryConf : Class names have had underscores removed. The configuration should be updated if LBFactory_Simple or LBFactory_Multi is configured.
  • $wgPasswordSenderName has been removed and is no longer functional. To set a custom mailer name, the system message 'emailsender' should be modified (default: "{{SITENAME}}").
  • (bug 63269) Email notifications were not correctly handling the MediaWiki:Helppage message being set to a full URL (the default). If you customized MediaWiki:Enotif body (the text of email notifications), you'll need to edit it locally to include the URL via the new variable $HELPPAGE instead of the parser functions fullurl and canonicalurl; otherwise you don't have to do anything.
  • $wgDBAhandler was removed as the only class using it was also removed
  • The 'max threads' setting was removed from $wgDBservers .
  • Support for AdminSettings.php has been completely removed. All configuration belongs in LocalSettings.php.
  • $wgSkipSkin , which has been replaceable by $wgSkipSkins since 2005 (r9249), is now formally deprecated.
  • Removed deprecated $wgDisabledActions as it is hardly used anywhere.
  • $wgRateLimitLog has been deprecated and replaced by $wgDebugLogGroups ['ratelimit'].
  • $wgLocalInterwikis is an array containing multiple local interwiki prefixes (interwiki prefixes that point back to the current wiki). This effectively allows more than one value of $wgLocalInterwiki to be specified and understood by the parser. The value of $wgLocalInterwiki is automatically prepended to the start of this array.
  • $wgQueryPages has been removed. Query Pages should be added to by using the wgQueryPages hook.
  • $wgHttpOnlyBlacklist has been removed.
  • $wgLicenseTerms has been removed as it was unused.
  • $wgProfileOnly is now deprecated; set the log file in $wgDebugLogGroups ['profileoutput'] to replace it.
  • $wgMaxBacklinksInvalidate was removed; use $wgJobBackoffThrottling instead
  • Deprecated ResourceLoaderGetStartupModules hook.

New features

  • ResourceLoader can utilize the Web Storage API to cache modules client-side. Compared to the browser cache, caching in Web Storage allows ResourceLoader to be more granular about evicting stale modules from the cache while retaining the ability to retrieve multiple modules in a single HTTP request. This capability can be enabled by setting $wgResourceLoaderStorageEnabled to true. This feature is currently considered experimental and should only be enabled with care.
  • (bug 6092) Add expensive parser functions {{REVISIONID:}}, {{REVISIONUSER:}} and {{REVISIONTIMESTAMP:}} (with friends).
  • Add "wgRelevantUserName" to mw.config containing the current Skin::getRelevantUser value.
  • (bug 56033) Add content model to the page information.
  • Added Article::MissingArticleConditions hook to give extensions a chance to hide their (unrelated) log entries.
  • Added LonelyPagesQuery hook to let extensions modify the query used to generate Special:LonelyPages.
  • Added $wgOpenSearchDefaultLimit defining the default number of entries to show on action=opensearch API call.
  • For namespaces with $wgNamespaceProtection (including the MediaWiki namespace), the "protect" tab will be shown only if there are restriction levels available that would restrict editing beyond what $wgNamespaceProtection already applies. The protection form will offer only those protection levels.
  • Added $wgAPIFormatModules , allowing extensions to add additional output formatting modules for the API.
  • (bug 47812) The MediaWiki:Group-user.{css,js} pages can now be used to add custom CSS or JavaScript enabled only for registered users.
  • (bug 52005) Special pages RecentChanges, RecentChangesLinked and Watchlist now include a legend describing the symbols used in lists of changes.
  • Improved the accessibility of the tabs in Special:Preferences.
  • Added ApiBeforeMain hook, roughly equivalent to the BeforeInitialize hook: it's called after everything is set up but before any major processing happens.
  • The jquery.client module now performs a component-wise version comparison in its #test method when strings are used in the browser map: version '1.10' is now correctly considered larger than '1.2'. Using numbers in the version map is not affected.
  • All API modules now support an assert parameter, which can either be 'user' or 'bot'. The API will throw an error if the user is not logged in (user) or does not have the 'bot' userright (bot). Based off of the AssertEdit extension by Steve Sanbeg.
  • WikitextContent will now render redirects with the expected "redirect" header, rather than as an ordered list. Code calling Article::viewRedirect can probably be changed to no longer special-case redirects.
  • [[Special:Diff]] was added, allowing users to create internal links to revision comparison pages using syntax such as [[Special:Diff/12345]], [[Special:Diff/12345/prev]] or [[Special:Diff/12345/98765]].
  • New user accounts' personal and talk pages are now watched by them by default.
  • Added SkinTemplateGetLanguageLink hook to allow changing the html of language links.
  • Added MessageCache::get hook as a new way to customize messages across multiple sites.
  • Added jquery.throttle-debounce ResourceLoader module to limit the number of callbacks for frequently occurring events.
  • Special:ProtectedPages shows now a table. The timestamp, the reason and the protecting user is also shown.
  • Added experimental support for using Microsoft SQL Server as the database backend.
  • HTMLForm 'select', 'selectandother', 'selectorother', 'multiselect', and 'radio' fields can now use message keys as labels via the 'options-messages' parameter, which overrides the 'options' parameter.
  • Admins can expire users users passwords manually, or on a schedule using the $wgPasswordExpirationDays configuration setting.
  • Add new hook SendWatchlistEmailNotification, this will be used to determine whether to send a watchlist email notification.
  • (bug 42026) Special:Contributions now includes an option to filter page creations, similar to the topOnly option.
  • Add mediawiki.ui.button styling to all pages so wiki content can use styled buttons.
  • Special:UserLogin/signup now does AJAX checks for invalid and taken usernames, displaying the error live.
  • Added BaseTemplateAfterPortlet hook to allow injecting html after portlets in skins.
  • Support has been added for a JSON based localisation file format. The installer has been updated to use it.
  • Changes to content typography (colors, line-height, etc.). See for further information.
  • ResourceLoader: mw.loader.using() now implements a Promise interface.
  • Add new hook ChangesListInitRows accessed via ChangesList::initChangesListRows. If called by the ChangesList consumer this gives extensions a chance to batch process the result set prior to rendering.
  • A PoolCounterRedis class was added which can be make use of in $wgPoolCounterConf . This requires at least one Redis 2.6+ server.
  • $wgProfileToDatabase was removed. Set $wgProfiler to ProfilerSimpleDB in StartProfiler.php instead of using this.
  • (bug 63444) Made it possible to change the indent string (default: 4 spaces) used by FormatJson::encode().

Bug fixes

  • (bug 41759) The "updated since last visit" markers (on history pages, recent changes and watchlist) and the talk page message indicator are now correctly updated when the user is viewing old revisions of pages, instead of always acting as if the latest revision was being viewed.
  • (bug 56443) Special:ConfirmEmail no longer shows a "Mail a confirmation code" when the email address is already confirmed. Also, consistently use "confirmed", rather than "authenticated", when messaging whether or not the user has confirmed an email address.
  • (bug 56912) Show correct link color on cached result of Special:DeadendPages.
  • Classes TitleListDependency and TitleDependency have been removed, as they have been found unused in core and extensions for a long time.
  • (bug 57098) SpecialPasswordReset now obeys returnto parameter
  • (bug 37812) ResourceLoader will notice when a module's definition changes and recompile it accordingly.
  • (bug 57201) SpecialRecentChangesFilters hook is now executed for feeds.
  • (bug 58640) Fixed a compatibility issue with PCRE 8.34 that caused pages to appear blank or with missing text.
  • (bug 56931) Updated the plural rules to CLDR 24. They are in new format which is detailed in UTS 35 Rev 33. The PHP parser and evaluator as well as the JavaScript evaluator were updated to support the new format. Plural rules for some languages have changed, most notably Russian. Affected software messages have been updated and marked for review at
  • (bug 14323) Redirect pages, when viewed with redirect=no, no longer hide the remaining page content.
  • (bug 23542) imagelinks now stores both the redirect and target (as templatelinks does).
  • (bug 58167) The web installer no longer throws an exception when PHP is compiled without support for MySQL yet with support for another DBMS.
  • (bug 56199) Raw option of parser functions must now match complete word, to take effect.
  • (bug 60543) Special:PrefixIndex forgot stripprefix=1 for "Next page" link
  • (bug 29762) Undoing an already-undone edit will now display an appropriate message instead of leading the user to make a null edit.
  • (bug 52659) mediawiki.notification: Notification area remained visible when empty and thus was stealing pointer events from links on the page.
  • (bug 26811) When a DBUnexpectedError occurs, DB server hostnames are now hidden unless $wgShowExceptionDetails is true, and $wgShowDBErrorBacktrace no longer applies in such cases.
  • (bug 60960) Avoid doing file_exist() checks on data: URIs, as they cause warnings to be printed on Windows due to large path length.
  • (bug 48084) Fixed a bug in the installer that could cause $wgLogo to hold the wrong path to the placeholder logo (skins/common/images/wiki.png).
  • (bug 64289) jquery.textSelection: Don't throw errors on empty collections.

Web API changes

  • (bug 54884) action=parse&prop=categories now indicates hidden and missing categories.
  • action=query&meta=filerepoinfo now returns additional information for each repo.
  • action=parse&prop=languageshtml was deprecated in 1.18 and will be removed in MediaWiki 1.24.
  • action=parse now has disabletoc flag to disable table of contents in output.
  • (bug 25702) list=allcategories, list=allimages, list=alllinks, list=allpages, list=deletedrevs and list=filearchive did not handle case-sensitivity properly for all parameters.
  • ApiQueryBase::titlePartToKey allows an extra parameter that indicates the namespace in order to properly capitalize the title part.
  • (bug 57874) action=feedcontributions no longer has one item more than limit.
  • All API modules now support an assert parameter. See the new features section for more details.
  • Added prop=contributors to fetch the list of contributors to the page.
  • The following API modules will now return entries where fields have been revision-deleted: list=deletedrevs, list=filearchive, list=recentchanges, list=watchlist. "hidden" indicators will be included, in the same style as is already done for prop=revisions.
  • The following API modules will now return the content of revision-deleted fields, in addition to the "hidden" indicators, if the querying user has the necessary rights: list=logevents, list=usercontribs, prop=imageinfo, prop=revisions.
  • The above modules, where applicable, will now return entries filtered by revision-deleted fields if the querying user has the necessary rights. For example, prop=revisions with rvuser or rvexcludeuser will no longer skip revisions where the user was revision-deleted if the current user has the deletedhistory right.
  • The 'hideuser' right, used when blocking, is no longer necessary or sufficient for seeing contributions with revision-deleted in list=usercontribs.
  • list=watchlist now uses the querying user's rights rather than the wlowner's rights when checking whether wlprop=patrol is allowed.
  • (bug 32151) ApiWatch now has pageset capabilities (titles/pageids/generators). Title parameter is now deprecated.
  • (bug 23005) Added action=revisiondelete.
  • Added siprop=restrictions to API action=query&meta=siteinfo for querying possible page restriction (protection) levels and types.
  • Added prop 'limitreportdata' and 'limitreporthtml' to action=parse.
  • (bug 58627) Provide language names on action=parse&prop=langlinks.
  • Deprecated llurl= in favour of llprop=url for action=query&prop=langlinks.
  • Added llprop=langname and llprop=autonym for action=query&prop=langlinks.
  • prop=redirects is added, to return redirects to the pages in the query.
  • list=allredirects is added, to list all redirects pointing to a namespace.
  • (bug 42026) Added ucshow={new,!new,top,!top} to list=usercontribs. Also added newonly to action=feedcontributions.
  • (bug 42026) Deprecated uctoponly in favor of ucshow=top.
  • list=search no longer has a "srredirects" parameter. Redirects are now included in all searches.
  • Added list=prefixsearch that works like action=opensearch but can be used as a generator.
  • (bug 24782) Various modules will now use unique continuation parameters.
  • (bug 63249) Cache RecentChanges Atom feed in varnish for 15 seconds.

Languages updated

MediaWiki supports over 350 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Bugzilla reports.

  • Support was added for Algerian Spoken Arabic (arq).
  • Support was added for Riograndenser Hunsrückisch (hrx).
  • Support was added for Northern Luri (lrc).

Other changes

  • Added pp_sortkey column to page_props table, so pages can be efficiently queried and sorted by property value (bug 58032). See $wgPagePropsHaveSortkey if you want to postpone the schema change.
  • The rc_type field in the recentchanges table has been superseded by a new rc_source field. The rc_source field is a string representation of the change type where rc_type was a numeric constant. This field is not yet queried but will be in a future point release of 1.22.
    • Utilize update.php to create and populate this new field. On larger wiki's which do not wish to update recentchanges table in one large update please review the sql and comments in maintenance/archives/patch-rc_source.sql.
    • The rc_type field of recentchanges will be deprecated in a future point release.
  • The global variable $wgArticle has been removed after a lengthy deprecation.
  • The global functions addButton and insertTags (for mw.toolbar.addButton and mw.toolbar.insertTags) now emits mw.log.warn when accessed.
  • The ExpandTemplates extension has been moved into MediaWiki core.
  • (bug 52812) Removed "Disable search suggestions" from Preference.
  • (bug 52809) Removed "Disable browser page caching" from Preference.
  • Three new modules intended for use by custom skins were added: 'skins.common.elements', 'skins.common.content', and 'skins.common.interface', representing three levels of standard MediaWiki styling. Previously skin creators wishing to use them had to refer to the file names of appropriate files directly, which is now discouraged.
  • The modules 'skins.vector' and 'skins.monobook' have been renamed to 'skins.vector.styles' and 'skins.monobook.styles', respectively, and their definition was changed not to include the common*.css files; the two skins now load the 'skins.common.interface' module instead.
  • A page_links_updated field has been added to the page table.
  • SpecialPage::getTitle has been deprecated in favor of SpecialPage::getPageTitle.
  • BREAKING CHANGE: Two potentially backwards-incompatible changes have been made to the 'SpecialWatchlistQuery' hook's last parameter (array $values) to make the hook more consistent with the 'SpecialRecentChangesQuery' one:
    • Several array keys have been renamed: hideMinor → hideminor, hideBots → hidebots, hideAnons → hideanons, hideLiu → hideliu, hidePatrolled → hidepatrolled, hideOwn → hidemyself.
    • The parameter value is now a FormOptions object, not a plain array (array access operators should continue to work, as it implements the ArrayAccess interface).
  • Option to mark hooks as deprecated has been added.
  • (bug 52811) Preference "Enable section editing via [edit] links" was removed.
  • (bug 52813) Preference "Show table of contents (for pages with more than 3 headings)" was removed.
  • (bug 52810) Preference "Justify paragraphs" was removed.
  • OutputPage::showErrorPage raises a notice if arguments are incoherent.
  • Thumbnails that keep failing to render in thumb.php will be rate-limited againt further render attempts for 1 hour. $wgAttemptFailureEpoch can be altered to reset all rate-limited thumbnails at once.
  • (bug 56572) Builds of the OOjs and OOjs UI libraries are now available.
  • mw.loader.go and mw.loader.version have been removed.
  • (bug 52815) Preference "Enable simplified search bar (Vector skin only)" was removed.
  • A user_password_expires column has been added to the user table. The User object expects this column to exist. Use update.php to create this new field.
  • The jquery.delayedBind ResourceLoader module was deprecated in favor of the jquery.throttle-debounce module. It will be removed in MediaWiki 1.24.
  • mw.user.bucket has been deprecated.
  • On Special:PrefixIndex, a table#mw-prefixindex-list-table was changed to to avoid duplicate ids when the special page is transcluded.
  • (bug 62198) window.$j has been deprecated.
  • Preference "Disable link title conversion" was removed.
  • SpecialRecentChanges no longer includes any functionality for generating feeds - it has been factored out to ApiFeedRecentChanges. Old URLs redirect to new ones.
  • RecentChange::mExtra['lang'] is no longer set and should no longer be used. Extensions should read from other configuration variables, including $wgLocalInterwikis , to identify the current wiki.
  • Sections in the parser test framework have been renamed and the old section names are deprecated. Please use "!!wikitext" and "!!html" (or "!!html/php") instead of "!!input" and "!!result". This allows us to extend parser tests to accommodate additional input/output pairs, such as "!!html/parsoid" (for the output of the Parsoid parser, where it differs from the PHP parser).
  • Special:Search no longer has an "include redirects" option on the advanced tab. Redirects are now included in all searches.
  • mediawiki.api.category's getCategories() 'async' parameter was deprecated.
  • The locations of resources have been split between upstream libraries, now in resources/lib/, local libaries in resources/src/, and local forks of upstream libraries, also in resources/src/.
  • BREAKING CHANGE: The automatically-generated function closure with which ResourceLoader wraps all modules' JavaScript code now binds the identifier names 'jQuery' and '$' to the jQuery object of the version of jQuery that is bundled with MediaWiki. If you bind these names to other objects in global scope (like Zepto.js or document.querySelectorAll, for example) you will need to use different names to or re-bind them at the top of each ResourceLoader-loaded module.
  • (bug 52342) Preference "Remember my login" was removed.

Removed classes

  • FakeMemCachedClient (deprecated in 1.18)
  • RdfMetaData (unused)
  • TitleDependency (unused)
  • TitleListDependency (unused)
  • WikiError (deprecated in 1.17)
  • WikiXmlError (deprecated in 1.17)
  • WikiErrorMsg (deprecated in 1.17)

Renamed classes

  • CdbReader_DBA to CdbReaderDBA
  • CdbReader_PHP to CdbReaderPHP
  • CdbWriter_DBA to CdbWriterDBA
  • CdbWriter_PHP to CdbWriterPHP
  • DiffOp_Add to DiffOpAdd
  • DiffOp_Change to DiffOpChange
  • DiffOp_Copy to DiffOpCopy
  • DiffOp_Delete to DiffOpDelete
  • HWLDF_WordAccumulator to HWLDFWordAccumulator
  • LBFactory_Fake to LBFactoryFake
  • LBFactory_Multi to LBFactoryMulti
  • LBFactory_Simple to LBFactorySimple
  • LBFactory_Single to LBFactorySingle
  • LCStore_Accel to LCStoreAccel
  • LCStore_CDB to LCStoreCDB
  • LCStore_DB to LCStoreDB
  • LCStore_Null to LCStoreNull
  • LoadBalancer_Single to LoadBalancerSingle
  • LoadMonitor_MySQL to LoadMonitorMySQL
  • LoadMonitor_Null to LoadMonitorNull
  • LocalisationCache_BulkLoad to LocalisationCacheBulkLoad
  • csvStatsOutput to CsvStatsOutput
  • extensionLanguages to ExtensionLanguages
  • languages to Languages
  • statsOutput to StatsOutput
  • textStatsOutput to TextStatsOutput
  • wikiStatsOutput to WikiStatsOutput

Removed methods

  • ApiBase::getValidNamespaces() (deprecated in 1.17)
  • ApiMain::setCachePrivate() (deprecated in 1.17)
  • ApiMain::setVaryCookie (deprecated in 1.17)
  • CategoryViewer::addSubcategory() (deprecated in 1.17)
  • EditPage::spamPage() (deprecated since 1.17)
  • Exif::getFormattedData() (deprecated in 1.18)
  • Exif::makeFormattedData() (deprecated in 1.18)
  • Language::convertLinkToAllVariants() (deprecated in 1.17)
  • LanguageConverter::convertLinkToAllVariants() (deprecated in 1.17)
  • Linker::makeBrokenLink() (deprecated in 1.16)
  • Linker::makeBrokenLinkObj() (deprecated in 1.16)
  • Linker::makeColouredLinkObj() (deprecated in 1.16)
  • Linker::makeSizeLinkObj() (deprecated in 1.17)
  • ProfilerSimple::getCpuTime (deprecated in 1.20)
  • Revision::revText() (deprecated in 1.17)
  • SkinTemplate::jstext() (deprecated in 1.21)
  • SpecialPage::__call() (deprecated in 1.17)
  • SpecialPage::executePath() (deprecated in 1.18)
  • SpecialPage::exists() (deprecated in 1.18)
  • SpecialPage::file() (deprecated in 1.18)
  • SpecialPage::func() (deprecated in 1.18)
  • SpecialPage::getGroup() (deprecated in 1.18)
  • SpecialPage::getPage() (deprecated in 1.18)
  • SpecialPage::getPageByAlias() (deprecated in 1.18)
  • SpecialPage::getLocalNameFor() (deprecated in 1.18)
  • SpecialPage::getRegularPages() (deprecated in 1.18)
  • SpecialPage::getRestrictedPages() (deprecated in 1.18)
  • SpecialPage::getTitleForAlias() (deprecated in 1.18)
  • SpecialPage::getUsablePages() (deprecated in 1.18)
  • SpecialPage::includable() (deprecated in 1.18)
  • SpecialPage::init()
  • SpecialPage::initAliasList() (deprecated in 1.18)
  • SpecialPage::initList() (deprecated in 1.18)
  • SpecialPage::name() (deprecated in 1.18)
  • SpecialPage::removePage() (deprecated in 1.18)
  • SpecialPage::resolveAlias() (deprecated in 1.18)
  • SpecialPage::resolveAliasWithSubpage() (deprecated in 1.18)
  • SpecialPage::restriction() (deprecated in 1.18)
  • SpecialPage::setGroup() (deprecated in 1.18)
  • SpecialRecentChanges::feedSetup()
  • SpecialRevisionDelete::extractBitField() (deprecated in 1.22)
  • User::getPageRenderingHash() (deprecated in 1.17)
  • WebRequest::getFileSize() (deprecated in 1.17)
  • WebRequest::isPathInfoBad() (deprecated in 1.17)
  • WikiPage::quickEdit() (deprecated in 1.18)
  • WikiPage::useParserCache() (deprecated in 1.18)
  • WikiPage::viewUpdates() (deprecated in 1.18)

Removed globals


MediaWiki 1.23 requires PHP 5.3.2 or later.

MySQL is the recommended DBMS. PostgreSQL or SQLite can also be used, but support for them is somewhat less mature. There is experimental support for Oracle and Microsoft SQL Server.

The supported versions are:

  • MySQL 5.0.2 or later
  • PostgreSQL 8.3 or later
  • SQLite 3.3.7 or later
  • Oracle 9.0.1 or later
  • Microsoft SQL Server 2005 (9.00.1399)


1.23 has several database changes since 1.22, and will not work without schema updates. Note that due to changes to some very large tables like the revision table, the schema update may take quite long (minutes on a medium sized site, many hours on a large site).

If upgrading from before 1.11, and you are using a wiki as a commons repository, make sure that it is updated as well. Otherwise, errors may arise due to database schema changes.

If upgrading from before 1.7, you may want to run refreshLinks.php to ensure new database fields are filled with data.

If you are upgrading from MediaWiki 1.4.x or earlier, you should upgrade to 1.5 first. The upgrade script maintenance/upgrade1_5.php has been removed with MediaWiki 1.21.

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions.

For notes on 1.21.x and older releases, see HISTORY.

Online documentation

Documentation for both end-users and site administrators is available on, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):

Mailing list

A mailing list is available for MediaWiki user support and discussion:

A low-traffic announcements-only list is also available:

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help

There's usually someone online in the IRC channel #mediawiki connect.