By default, to view the admin pages, you need to enter an administrator username and password on the phpList admin login page. However, this is only a single layer of security. If your phpList database was to be compromised, or the routines used to validate passwords were discovered to be exploitable, an attacker could gain full control over your phpList installation.
To add an additional layer of security, we can configure an additional Apache mod_auth-based password to protect the admin page. This means that your web server (prior to phpList) will prompt the viewer for a user and password combination, before showing them the phpList login page.
The mod_auth authentication scheme requires a file commonly called an htpasswd file, which contains pairs of usernames and encrypted passwords, one per line, to exist on the web server. The web server will use this file to validate your username and password when you browse to any URL underneath the /admin/ directory.
This file should be accessible to the web server (that is, on the web server's filesystem), but not accessible to the world (that is, not in a directory which is accessible via a web browser).
In many cases, web-facing files (such as phpList's .php files) are stored in a public_html folder on your web host. You may have other folders including log files, backups, and so on. Choose a location for the password file and make sure you know the filesystem path to this file. (For example, /home/webusers/myusername/htpasswd would be secure, if your web files are in /home/webusers/myusername/public_html/).
The simplest way to generate an htpassword file is to generate the user-encrypted password pairs online. There are many online tools that use simple code to do this for you. You could search the web for "generate htpasswd file" or use a website like http://www.htaccesstools.com/htpasswd-generator/.
Once you have the user-encrypted password line, save it to a file named htpasswd, and upload it to the chosen directory on your web host. Remember, you need to know the filesystem path to this file.
Assuming you have access to your web host using a Unix shell (or to another Unix-like host), you can also create the password file directly on the web host, using the following command:
htpasswd -cb <filesystem path to password file> <username> <password>
For example, you may use:
[root@webhost myuser]# htpasswd -cb /home/webusers/myusername/passwd myuser mypassword
Adding password for user myuser
[root@webhost myuser]#
Note
The -c in the htpasswd command stands for "create". It assumes that the password file doesn't already exist. If you run this against an existing file, it will overwrite this file, so be careful! If you want to add additional usernames to this file, use the htpasswd command without the -c argument.
The contents of your password file should look something like this: myuser:CEZqTfQTUZhzw.
Having a file containing usernames and passwords is not enough to secure access—we need to tell the web server not to allow any visits to any URLs underneath the admin/ directory, unless the user has authenticated against our password file.
We put these instructions in a special file in the admin/ directory called .htaccess.
By default, this file contains the following lines, which restrict any access to important .php files under the admin/ directory:
<FilesMatch ".(php|inc)$"> Order allow,deny deny from all </FilesMatch> <FilesMatch "(index.php|connector.php|upload.php)$"> Order allow,deny allow from all </FilesMatch>
We will add the following directives to this file either above or below the existing text:
# Restrict access to admin/ URLs AuthUserFile <filesystem path to your htpasswd file> AuthName "PHPList Admin Access" AuthType Basic require valid-user # End access restriction directives
These lines tell the web server which password file to refer to, what the name of the authentication "realm" is, what type of authentication to use, and instruct it that a valid user match is required.
Having added the aforementioned lines, the entire admin/.htaccess file will look something like this:
<FilesMatch ".(php|inc)$"> Order allow,deny deny from all </FilesMatch> <FilesMatch "(index.php|connector.php|upload.php)$"> Order allow,deny allow from all </FilesMatch> # Restrict access to admin/ URLs AuthUserFile <filesystem path to your htpasswd file> AuthName "PHPList Admin Access" AuthType Basic require valid-user # End access restriction directives
Having saved the changes to admin/.htaccess, refresh the admin page and your browser will pop up an authentication request as shown in the following screenshot:
