30 Apr 2013
I run phpMyAdmin for a number of websites and (thanks StackOverflow), this is my check list for phpMyAdmin Security.
What gets done depends a lot on the client’s webhost and how much control I have, but this is a short list of things which can be done.
- Change the folder location
I’ve changed the application folder the obvious ones such as phpMyAdmin or pma to something a little less predictable; databaseliveshere or folder name of your choice.
This is rather duh, but no harm in stating the obvious. Secure passwords which are proof against a brute-force attack
- Limit Access by IP Address
This depends on how many people are accessing phpMyAdmin, and whether everyone has a static IP address, but I like to setup .htaccess so it restricts access to a subset of IP addresses.
<limit GET> order deny,allow deny from all allow from 188.8.131.52 </limit>
- Root shouldn’t have access to phpMyAdmin
I edit the config file for phpMyAdmin and set AllowRoot to false
I set up a self-signed security certificate so I can access phpMyAdmin via https. This way the login and password can’t be leaked to an attacker.