How to secure phpMyAdmin

phpMyAdmin is free and open-source web application that provides simple GUI for MySQL written in php. phpMyAdmin is widely used to manage MySQL database. Thus this become biggest threat that attacker may get access through MySQL injection or bruteforce attack. This becomes important to give extra security layers for phpMyAdmin.

In this article, we will use few security steps that will prevent attackers to get access phpMyAdmin. If you have have not installed phpMyAdmin, you can install it from this article.

Change phpMyAdmin login URL

When you install phpMyAdmin, the default URL to access phpMyAdmin is http://<your-server-ip>/phpmyadmin. The first step we need is to change Alias for phpMyAdmin. For that open phpMyAdmin configuration file /etc/phpmyadmin/apache.conf in Terminal using nano command.

sudo nano /etc/phpmyadmin/apache.conf

In this file find the line for Alias

Alias /phpmyadmin /usr/share/phpmyadmin

Change /phpmyadmin to something like below that unknown user can't access phpMyAdmin login.

Alias /pma-login /usr/share/phpmyadmin

Save and exit the file. Restart the apache server using command.

sudo service apache2 restart

Now your phpMyAdmin login URL is also changed to the alias you have set. E.g. http://<your-server-ip>/pma-login

Only allow your specific IP address

This is great security measure to allow only whitelisted IP address only. This will restrict unknown users to access phpMyAdmin.

Open the same above config file /etc/phpmyadmin/apache.conf. In the file find the directive <Directory /usr/share/phpmyadmin> and add these lines inside it with your local IPs.

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    
    Order Deny,Allow
    Deny from All
    Allow from 127.0.1.1
    ...

And restart the Apache server.

sudo service apache2 restart

Now every IPs except whitelisted IP will get forbidden message.

Add extra apache security layer

Adding extra apache login layer will provide phpMyAdmin strong security. It will also stop attack on phpMyAdmin login. Here is how you can add extra security with apache2.

In the phpMyAdmin apache configuration file, /etc/phpmyadmin/apache.conf edit and add AllowOverride All in the same directive.

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All
    ...

This will allow you to change configurations from the .htaccess file.

Now create /usr/share/phpmyadmin/.htaccess file and input below authentication configuration.

AuthType Basic
AuthName "Stay Away"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

After creating the file, you will need to create user and password to authenticate. To create that run the below htpasswd command with your username.

sudo htpasswd -c /etc/phpmyadmin/.htpasswd <username>

It will ask to enter and then confirm password. After password confirm, again restart the apache server.

sudo service apache2 restart

Now whenever you try to login phpMyAdmin url, the popup form will ask to enter user and password.

Other measures:

Obviously important point is to set phpMyAdmin password minimum 8 character long with special character and password should be unpredictable. This will secure to prevent dictionary attack.

In addition, you can also configure phpMyAdmin to limit user can access the system. You can set and modify from phpMyAdmin configuration file located at /etc/phpmyadmin/config.inc.php

Here are few option you can add or change:

$cfg['AllowUserDropDatabase'] = false; // restrict user to drop database
$cfg['LoginCookieValidity'] = 14400; // auto logout time

There are always chance to get hacked the server. But the above steps will make phpMyAdmin enough secure to restrict most of the attack. If you also knows the way to keep phpMyAdmin secure, please do write in below comment. Also like our Facebook page and follow us on Twitter.

Was this article helpful?

0 out of 0 person found this article helpful.

Leave a comment

Or

No Comment