Securing phpMyAdmin

30 Apr 2013

,


I run phpMyAdmin for a number of websites and (thanks StackOverflow), this is my check list for phpMyAdmin Security.

What gets done depends a lot on the client’s webhost and how much control I have, but this is a short list of things which can be done.

  1. Change the folder location
    I’ve changed the application folder the obvious ones such as phpMyAdmin or pma to something a little less predictable; databaseliveshere or folder name of your choice.
  2. Passwords
    This is rather duh, but no harm in stating the obvious. Secure passwords which are proof against a brute-force attack
  3. Limit Access by IP Address
    This depends on how many people are accessing phpMyAdmin, and whether everyone has a static IP address, but I like to setup .htaccess so it restricts access to a subset of IP addresses.
    <limit GET> 
        order deny,allow 
        deny from all 
        allow from 81.95.39.134 
    </limit>
    
  4. Root shouldn’t have access to phpMyAdmin
    I edit the config file for phpMyAdmin and set AllowRoot to false
  5. HTTPS
    I set up a self-signed security certificate so I can access phpMyAdmin via https. This way the login and password can’t be leaked to an attacker.