Gallery notes

I use Gallery2 for managing pictures on my web site. It's a target for hacker bots. I've seen a lot of scripts trying dictionary attacks against Gallery2.

I am the only one that uses my gallery. I make a few changes to make it more secure.

Make non-essential pages disappear

This gets rid of password recovery. I don't need this and I don't need to leave any potential holes open.

Edit gallery2/.htaccess and add a rule after the #END Url Rewrite section:

# END Url Rewrite section

# This disables password recovery.
RewriteEngine On
RewriteCond %{QUERY_STRING} .*UserRecoverPassword.*$
RewriteRule ^.*$ - [R=404]

Always require the Captcha

Login to your gallery2 as admin user and select "Site Admin". On the left menu you should see "Captcha". Select this and set each of the following options as "High": Login, Guest Comments, Password Items. That will mean that you will always have to enter the Captcha image to login.

Disable Member modules

On the left menu select "Modules". Disable the following modules: "New User Registration", "Members List and Profiles". You don't need those for a single user installation.

Delete Comment Spam

First you have to identify the g_id of the comment. Then you have to delete matching records from g2_Entity, g2_ChildEntity, and g2_Comment. Could also delete the offending user from g2_User.

The following will get rid of most spam. This basically removes any comment with an URL in it. There is an off chance that you might have legitimate comments with URLs. Those will get eliminated too. Too bad!

CREATE TEMPORARY TABLE tmp_g_id
SELECT g_id FROM `g2_Comment`
WHERE g_subject LIKE '%http%' OR g_comment LIKE '%http%';

DELETE FROM g2_Entity
INNER JOIN tmptable ON g2_Entity.g_id = tmp_g_id.g_id;

DELETE FROM g2_ChildEntity
INNER JOIN tmptable ON g2_ChildEntity.g_id = tmp_g_id.g_id;

DELETE FROM g2_Comment
INNER JOIN tmptable ON g2_Comment.g_id = tmp_g_id.g_id;

DROP TEMPORARY TABLE tmp_g_id;