Wikipedia:High-risk templates

Following the protection policy, page protection may be indefinitely applied to all templates, template redirects, and Lua modules that have been identified by the community as being of high risk to Wikipedia. If fully protected so that they can only be edited by administrators, or template-protected so that they can only be edited by administrators and template editors, these pages should be edited cautiously, and consensus should be established for any changes that might be controversial. If semi-protected or extended-confirmed protected, templates and modules may be edited by any established user, but users should ensure there is consensus for their edits and avoid edit wars.

Common reasons
The most common reasons a template or module is considered high-risk are:
 * It is used in a permanently highly visible location (such as the Main page)
 * It is transcluded into a very large number of pages.
 * It is substituted extremely frequently by multiple users on an ongoing basis (for example, templates used to warn users about inappropriate editing).

Criteria
There are generally no fixed criteria, and no fixed number of transclusions, that are used to decide whether a template or module is high-risk; each page is considered separately. If a template or module relates to a biography of a living person, that would strengthen any arguments in favor of its preemptive protection.

Note that a bot automatically:


 * template-protects pages with over 5,000 transclusions,
 * extended-confirmed protects pages with over 2,500 transclusions, and
 * semi-protects pages with over 250 transclusions.

A 2018 RfC identified rough consensus to permanently semiprotect templates with at least around 200–250 transclusions, and a 2021 RfC identified a rough consensus to permanently extended-confirmed protect templates with roughly 2500 to 5000 transclusions.

Rationale
The main reasons for restricting access to high-risk templates are:


 * To prevent vandalism
 * To prevent high server load from unnecessary extra edits to highly transcluded templates
 * To reduce chances of accidental breakage by inexperienced template editors

For templates and modules that are widely used, the damage caused by bad faith or incorrect edits is uniquely high. The fact that numerous readers would see an edit to these pages provides an incentive to vandalize them and also magnifies the damage done by such an act. There have also been cases where well-meaning editors introduced an error to a template that broke millions of pages.

Although template vandalism is usually reverted quickly (often within one minute), the technical aspects of templates create a greater potential for damage than other kinds of vandalism. For templates that are used across hundreds or thousands of articles, any vandalism, no matter how short, could be seen by many readers across the entire encyclopedia. To prevent denial of service attacks, pages are cached and template changes are slowly rolled out across the entire encyclopedia. In some cases, pages may have their caches updated before the vandalism is reverted, and these may stick around for a long time even after the vandalism is fixed. This problem scales with the number of transclusions as the time for changes to roll out increases as the number of pages needing updates increases. Some templates like user warnings are substituted instead of transcluded, and when used the source code of the template is inserted directly onto the page. Because these uses do not update when template vandalism is reverted, disruption on substituted templates will stick around until someone finds the use and fixes it manually—making this kind of vandalism harder to clean up.

In all cases, page protection minimizes the risk posed by bad faith or technically deficient edits to templates (see principle of least privilege). In contrast to our usual policy prohibiting preemptive protection, administrators are given wide latitude to use page protection in order to minimize the unique risks posed by the technical aspects of templates. The technical knowledge required to carry out these attacks is non-trivial, and experience has shown that vandalism to templates is often performed by long-term abusive editors and sleeper accounts. For templates which carry high risk but require frequent maintenance from the general editorial community, lower protection levels such as semi-protection or extended-confirmed protection may be used. For templates that are stable, part of our critical technical infrastructure, or used across thousands of pages, administrators should consider full protection or template protection to enforce code review through edit requests which helps prevent accidental bugs and deliberate attacks.

The correct way to edit high-risk templates

 * It is good practice to make edits on the template's /sandbox page rather than directly to the high-risk template.
 * If needed, get consensus for your changes on the template's talk page.
 * Test your new /sandbox code and make sure it is bug-free. Check the /testcases page to assist with this.
 * Deploy your /sandbox code to the template in one edit.

Minimizing edits to highly transcluded templates
For templates with a very high number of transclusions, minimizing the number of edits to the template is important:

Please do the majority of your edits in the /sandbox instead.
 * Each edit to the template will create server load as it updates the cached wikicode of thousands of other pages.
 * If the template breaks for even a minute while you are making incremental improvements, the breakage may be seen by many readers.

Documentation and padlock
Semi- and fully-protected templates should normally have the template. It loads the usually unprotected  page, so that non-admins and IP-users can edit the documentation and categories. It also automatically adds to protected templates, which displays a small padlock in the top right corner and categorizes the template as a protected template. Only manually add to protected templates that don't use  (mostly the stub templates).

The bottom of protected templates should usually look like this:

This process is not necessary for Lua modules, as the documentation from the module's /doc subpage is automatically shown on the main module page.