larger smaller normal text version of this page
Phplist Documentation

Securing phpList

This document outlines a number of measures that will help enhance the security of your system. Some of these measures may not be available to all of you, as it depends on the way you have hosted your phpList installation. While it isn't necessary to implement each and every measure suggested in this document, applying as many as you can is recommended.

Keep your installation up to date
Make sure to keep informed of security fixes and upgrades, and install these as soon as they are available. By default phpList will check for updates once a week. You may change this frequency by editing the "How often do you want to check for a new version of phpList (days)" setting on the configuration page of the administrators interface.

Limit executable access (htaccess)
Make sure the .htaccess files in the directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
Note: Some server settings may not allow overriding some of the Apache directives placed in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact them to find a secure alternative.
For more info see:

Set proper file and directory permissions
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. However, check that permissions are NOT higher than this (needs to be verified):

Directories:755d rwx r-x r-x
Files:644- rw- r-- r--

For more information on file system permissions, please consult the manual of your particular operating system, or contact your host.

Run you site as an Apache user with limited permissions
Run the website as an Apache user with very limited permissions on your server, particularly no write permissions in any of the documents of your website. See also Apache security tips.

Password protect the admin directory (htaccess)
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see the Apache documentation
You can use this measure in combination with the administrators login system of your phpList installation, in which case your phpList administators wiil have to gain access to protected admin directory first, and then login as a phpList admin.

Set "register globals" to "off" (php.ini/htaccess)
Set "register globals" to be "off" in your php.ini file. If your server is in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: php_flag register_globals off
For more information, please consult the PHP documentation on this topic.

Change the phpList admin password
Change the admin password inmediately after having installed phpList.

Run phpList behind a firewall
Run your phpList installation on a server that has a firewall installed that only allows the necessary services to be served.

Make sure each database application is owned by a separate database user
If you run several PHP/MySQL applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also Secure MySQL Database Design.

Backup your database
Make regular backups of your database and keep them in a safe place.

Page was generated in 0.0598 seconds