diff --git a/extension.json b/extension.json
index 357dae5..0ef1493 100644
--- a/extension.json
+++ b/extension.json
@@ -30,9 +30,9 @@
 		"MWAWS\\FSFile": "includes/MWAWS/FSFile.php",
 		"TrimStringIterator": "includes/TrimStringIterator.php"
 	},
-	"ExtensionFunctions": [
-		"AmazonS3Hooks::setup"
-	],
+	"Hooks": {
+		"MediaWikiServices": "AmazonS3Hooks::setup"
+	},
 	"config": {
 		"AWSCredentials": {
 			"description": "Credentials to connect to AWS. Setting this in LocalSettings.php is NOT NEEDED if your EC2 instance has an IAM instance profile, and its IAM role allows access to Amazon S3 (see README).",
diff --git a/includes/AmazonS3Hooks.php b/includes/AmazonS3Hooks.php
index 81aaca5..c09694a 100644
--- a/includes/AmazonS3Hooks.php
+++ b/includes/AmazonS3Hooks.php
@@ -84,7 +84,7 @@ protected function replaceLocalRepo() {
 
 		// Container names are prefixed by WikiId string, which depends on $wgDBPrefix and $wgDBname.
 		$wikiId = WikiMap::getCurrentWikiId();
-		$isPublicWiki = AmazonS3CompatTools::isPublicWiki();
+		$isPublicWiki = $this->earlyIsPublicWiki();
 
 		// Configure zones (public, thumb, deleted, etc.).
 		$containerPaths = [];
@@ -105,6 +105,21 @@ protected function replaceLocalRepo() {
 		$wgFileBackends['s3']['containerPaths'] = $containerPaths;
 	}
 
+	/*
+	 * Returns true if everyone (even anonymous users) can see pages in this wiki, false otherwise.
+	 * Unlike AmazonS3CompatTools::isPublicWiki(), this method can be used during early initialization,
+	 * when services like PermissionManager are not available yet.
+	 * @return bool
+	 */
+	protected function earlyIsPublicWiki() {
+		global $wgGroupPermissions, $wgRevokePermissions;
+
+		$allowed = $wgGroupPermissions['*']['read'] ?? true;
+		$revoked = $wgRevokePermissions['*']['read'] ?? false;
+
+		return $allowed && !$revoked;
+	}
+
 	/**
 	 * Returns container path for $zone, based on $wgAWSBucketName or B/C $wgAWSBucketPrefix.
 	 * @param string $zone Name of the zone, can be 'public', 'thumb', 'temp' or 'deleted'.