Securing phpMyAdmin

30 Apr 2013


I run phpMyAdmin for a number of websites and (thanks StackOverflow), this is my check list for phpMyAdmin Security.

What gets done depends a lot on the client’s webhost and how much control I have, but this is a short list of things which can be done.

  1. Change the folder location
    I’ve changed the application folder the obvious ones such as phpMyAdmin or pma to something a little less predictable; databaseliveshere or folder name of your choice.
  2. Passwords
    This is rather duh, but no harm in stating the obvious. Secure passwords which are proof against a brute-force attack
  3. Limit Access by IP Address
    This depends on how many people are accessing phpMyAdmin, and whether everyone has a static IP address, but I like to setup .htaccess so it restricts access to a subset of IP addresses.
    <limit GET> 
        order deny,allow 
        deny from all 
        allow from 
  4. Root shouldn’t have access to phpMyAdmin
    I edit the config file for phpMyAdmin and set AllowRoot to false
  5. HTTPS
    I set up a self-signed security certificate so I can access phpMyAdmin via https. This way the login and password can’t be leaked to an attacker.

Names Changed to Protect the Guilty

3 Jul 2012

, ,

This came to me via one of my clients – they were talking about problems they’d had with another web developer.

The site in question is a standard ecommerce site where users have to register as part of the checkout process, and login to get downloads, and special discounts. Problem started when the site owner got this email from one of their customers.

I want to report that your site is NOT secure.
I had forgotten my password. So I did a Google search to see if I can find the webpage on how to re-set it.
Guess what? Someone has hacked your site and obtained all the passwords and email addresses and posted them online.
Sure enough, I found my email … and my forgotten password.

Basically, some script kiddies had hacked the site and posted all email addresses and passwords online with lots of (in)appropriate “ha ha, we got you good!” messages

Read More