Instead of disabling functionnalities, why not just secure the whole wiki thing ? 😎
Based on this (http://codedmemes.com/lib/password-protecting-directories-files-domains/), I managed to create a webapp that would "lock down" the whole subdomain, and require users to authenticate. Good news ? With a little tweaking, you can use your own open directory for user authentication.
Here's the .conf file code
<Location />
Order deny,allow
Deny from All
AuthType Basic
AuthName "Authorized Users Only"
Require valid-user
</Location>
This will require that the personn authenticates using an existing user. But you can also (I suppose, didn't try) restrict to a group. It's basic .htaccess directives, but I sincerely don't know how Apple makes it work this way (without having to define the open directory, ldap auth, etc I mena). Sad news, though, it appears that only AuthType Basic works in this case, no Digest 😟
And here is the .plist file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>name</key>
<string>sub.domain.com.webapp.auth_wiki</string>
<key>displayName</key>
<string>(WebApp's Name)</string>
<key>includeFiles</key>
<array>
<string>/Library/Server/Web/Config/apache2/webapp_scripts/httpd_grm_auth_wiki.c onf</string>
</array>
<key>launchKeys</key>
<array/>
<key>proxies</key>
<dict/>
<key>installationIndicatorFilePath</key>
<string>/Library/Server/Web/Config/apache2/webapp_scripts/httpd_grm_auth_wiki.co nf</string>
<key>requiredModuleNames</key>
<array/>
<key>requiredWebAppNames</key>
<array/>
<key>sslPolicy</key>
<integer>0</integer>
</dict>
</plist>
You'll notice that, since I couldn't find the "extra" folder mentionned in the above link, I used the "webapp_scripts" folder. Don't know if it's ok... but at least it works.
Then, you go in Server.app, restart Apache (by disabling and re-enabling websites, for example), edit your website's setting, go to advanced and enable the "WebApp". And you're good to go.
Edit: the worst part, regarding the wiki's default security, it's that through "people" you can access "activities" and, then, most of the wiki's content (files' names, full wiki entries, blog posts, etc... thought I was having a nightmare when I realised this)
Edit 2: By adapting the .conf file, you can also only restrict the access to certain paths (such as /wiki/people/ and /wiki/pages/) just like you would with a .htaccess. It doesn't have to be the whole subdomain.