Changing admin PW?

Questions & Problems about Installing or Upgrading with Version 3 phpList.
Forum rules
Please help the volunteers to help you by supplying the version of phpList you are using, browser & version and if possible, a link to your phpList installation.

Changing admin PW?

Postby adoni » 2:55pm, Tue 06 May, 2014


is there any real reason to do line 6 of the security readme file

6. Change the admin password as soon as you have installed phpList.

in config you give a pw for the script

sure it's not encrypted and readable in plain text

but if you put the config file into a directory with proper .htaccess

no one can hook the config.php file from admin right?

or is there vulnerabilities around that allow people to get the config.php info even from a properly secured .htaccess file that should deny all reading of files except index in admin?

most scripts come with a general pw all users use, to setup the script then you change the pw after the script is on the server

this script has the user set a pw in plain text in config

ok, so what is the issue?

that it was set in config.php in plain text and are the developers someone exploiting the config.php file to be readable?

well .htaccess should stop that right?

or are there security vulnerabilities in the script?

or are they afraid a sniffer may have been between the uploader and his server so any plaint text pw's are wide open in FTP usually

do you know the reasoning for this change admin PW even though you set it already in config.php

seems if they're worried about something, then maybe they should do like most scripts, use the same user and pw to upload and then after first session change out the pw

right now you set it in config.php

then you change it again in the script?

seems a little strange, so if you know the security logic as to this advice

I'd like to know

PL Nut
Posts: 16
Joined: 7:47pm, Mon 05 May, 2014

Re: Changing admin PW?

Postby Dragonrider » 6:00pm, Tue 06 May, 2014

The reason that it is suggested (strongly recommended) to change the default password is simply that it defaults to admin and phplist. Anyone downloading phpList can see this when the start it up.

So, initially, anyone can access your phpList admin pages, so change your default password.

I also like to change the logon from admin to a more relevant login, but that's done via myphpAdmin.
My sites:-,,,
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Re: Changing admin PW?

Postby duncanc » 8:24am, Wed 07 May, 2014

Unfortunately most of those readme files are out of date. The security readme is more than 10 years old.
phplist now does not have a default password, you need to enter a password during the installation process.

The config file holds the credentials for the mysql database, the bounce email address and if used the SMTP server. By default, using .htaccess, the config.php file is not accessible through the web server.
Posts: 2440
Joined: 6:34am, Sat 08 May, 2010
Location: London

Re: Changing admin PW?

Postby williamrouse » 2:47am, Mon 12 May, 2014

I need help. I installed phpList and all went well. When I go back to the link:
mydomain/lists/admin the login procedure does not work, or should I say I don't know what to enter.
The default credentials admin/phplist does not work.
The credentials that I entered during the install does not work.
The database credential in the config.php file does not work

What credentials should I use to reenter the Dashboard?
phpList newbie
Posts: 2
Joined: 2:25am, Mon 12 May, 2014

Re: Changing admin PW?

Postby williamrouse » 5:30am, Mon 12 May, 2014

I am not sure what I did right but now I can log in so my last post is resolved.
phpList newbie
Posts: 2
Joined: 2:25am, Mon 12 May, 2014

Return to Installing and Upgrading

Who is online

Users browsing this forum: No registered users and 0 guests