The response to this was swift. But I think maybe more needs be done.
.htaccess is used in many directories (inc/lang, for instance), but
not all.
Unfortunately, not all webservers recognise .htaccess files (e.g. IIS),
so its a flawed solution. The ideal solution is to adjust your Dokuwiki
install so only the executable scripts are below the document root,
unfortunately for many hosting services this either isn't feasible or
straightforward. However, if your ftp area starts below your webroot,
it is possible. The instructions for doing so can be found at
http://wiki.splitbrain.org/wiki:security.
For those who use webservers that don't support .htaccess files, and who
use ACL to restrict read access to parts of their wiki, they must take
some action to secure their restricted wiki data, otherwise
http://www.mywiki.com/path/to/savedir/pages/private/namespace/hidden.txt
will reveal the restricted information.
PHP files can be secured, e.g. the dokuwiki plugin files have been
secured. Other php files could be given the same mechanism.
first lines ...
// must be run within dokuwiki
if (!defined('DOKU_INC')) die();
