back to

Brute force protection with fail2ban


Is there a way to protect the admin login with fail2ban to prevent brute force attacks? Has someone ever tried/think about this? If you have a lot of personal related data inside phplist, I think its worth putting some energy into system hardening …


I think it´s going to be difficult without creating a way to log loging attempts to a file. But if you want you can create a little hardening.

  1. Rename the default installation folder (lists) and change the location of the admin folder. Remember to edit the config.php

     $pageroot = '/lists';
     $adminpages = '/lists/admin';
  2. Add this lines to the admin .htaccess so only you can log in…

     order allow,deny
     allow from xxx.xx.xxxx
     deny from all

Guide to hardening phpList

2 points about @Angel’s suggestions, you no longer need to specify $adminpages in phpList 3.3.x and where xxx.xx.xxxx shows for the .htaccess file, this should point to your own IP address.

To find your IP address, visit Lookup IP Address Details and remember this will only work if you have a static IP address. If your IP address changes everytime you connect to the internet, this won’t work.


In these days it would be really nice to have features like 2-factor-authentication and an option for brute force protection, especially if systems handle a lot of personal related data.
Static IPs: Not applicable because of dynamic IPs. Moving the admin login URL is some sort of security, but security by obscurity is no real security – maybe you understand what I mean. :wink: