diff --git a/includes/Hooks.php b/includes/Hooks.php
index c620fb31..d044895c 100644
--- a/includes/Hooks.php
+++ b/includes/Hooks.php
@@ -17,9 +17,11 @@ use MediaWiki\Hook\EditFilterHook;
 use MediaWiki\Hook\MovePageCheckPermissionsHook;
 use MediaWiki\Hook\TitleGetEditNoticesHook;
 use MediaWiki\Html\Html;
+use MediaWiki\MainConfigNames;
 use MediaWiki\Permissions\GrantsInfo;
 use MediaWiki\Permissions\Hook\GetUserPermissionsErrorsExpensiveHook;
 use MediaWiki\Revision\RevisionRecord;
+use MediaWiki\Settings\SettingsBuilder;
 use MediaWiki\Status\Status;
 use MediaWiki\Storage\EditResult;
 use MediaWiki\Storage\Hook\PageSaveCompleteHook;
@@ -43,13 +45,14 @@ class Hooks implements
 	PageSaveCompleteHook
 {
 
-	public static function onRegistration() {
-		global $wgGrantRiskGroups;
+	public static function onRegistration( array $extInfo, SettingsBuilder $settings ) {
+		$grantRiskGroups = $settings->getConfig()->get( MainConfigNames::GrantRiskGroups );
 		// Make sure the risk rating is at least 'security'. TitleBlacklist adds the
 		// tboverride-account right to the createaccount grant, which makes it possible
 		// to use it for social engineering attacks with restricted usernames.
-		if ( $wgGrantRiskGroups['createaccount'] !== GrantsInfo::RISK_INTERNAL ) {
-			$wgGrantRiskGroups['createaccount'] = GrantsInfo::RISK_SECURITY;
+		if ( $grantRiskGroups['createaccount'] !== GrantsInfo::RISK_INTERNAL ) {
+			$grantRiskGroups['createaccount'] = GrantsInfo::RISK_SECURITY;
+			$settings->overrideConfigValue( MainConfigNames::GrantRiskGroups, $grantRiskGroups );
 		}
 	}