This document outlines a number of measures that will help enhance the security of your system. Some of these measures may not be available to all of you, as it depends on the way you have hosted your phpList installation. While it isn't necessary to implement each and every measure suggested in this document, applying as many as you can is recommended.
Make sure to keep informed of security fixes and upgrades, and install these as soon as they are available. By default phpList will check for updates once a week. You may change this frequency by editing the "How often do you want to check for a new version of phpList (days)
" setting on the configuration page of the administrators interface.
Make sure the .htaccess files in the directories of phpList (particularly those in the "admin" and "commonlib" directories) are active. The .htaccess files included with phpList should ensure that "index.php" is the only file accessible in the admin directory. No other php file should be accessible. Images and stylesheets may still be accessible.
Some server settings may not allow overriding some of the Apache directives placed in the .htaccess files, which means the files are not parsed. If in doubt, check this with your host. If your host does not allow uploading .htaccess files via FTP, you should contact them to find a secure alternative.
For more info see:
Check that your directories and files have proper read/write permissions. Permissions should be as low as possible. This may vary somewhat, depending on the way you server is hosted. However, check that permissions are NOT higher than this (needs to be verified)
| || ||permissions |
| || || (octal)||(symbolic)|
|Directories||:||755||d rwx r-x r-x|
|Files||:||644||- rw- r-- r-- |
| || || |
For more information on file system permissions
, please consult the manual of your particular operating system, or contact your host.
Run the website as an Apache user with very limited permissions on your server, particularly no write permissions in any of the documents of your website. See also Apache security tips
Password protect your admin directory. Apache users can use the .htaccess file in the admin directory for that purpose. For more information, see the Apache documentation
You can use this measure in combination with the administrators login system of your phpList installation, in which case your phpList administators wiil have to gain access to protected admin directory first, and then login as a phpList admin.
Set "register globals" to be "off" in your php.ini file. If your server is in a shared hosting environment, and if you do not have access to php.ini, you could also use this directive in your .htaccess file: php_flag register_globals off
For more information, please consult the PHP documentation
on this topic.
Change the admin password inmediately after having installed phpList.
Run your phpList installation on a server that has a firewall installed that only allows the necessary services to be served.
If you run several PHP/MySQL applications on the same server, it is recommended to use separate databases, each owned by a different username/password combination. This serves as a containment measure: if an intruder manages to gain access to one of your application's databases, the others will still remain uncompromised. See also Secure MySQL Database Design
Make regular backups of your database
and keep them in a safe place.