How to secure phpmyadmin?

I checked out my apache logs, and, whooooaaa, there are a lot of bots trying to exploit phpmyadmin. The first thing i did was to change the directory name to something more obscure.

But, are there any other tips to secure phpmyadmin?

(The database itself is only available from the local network)


Solution 1:

We do a combination of things:

  • Protect phpMyAdmin via .htaccess or Apache configuration which requests a HTTP username/password login.
  • Protect phpMyAdmin via .htaccess or Apache configuration to only allow access from certain trusted IP addresses
  • Put phpMyAdmin in it's own VirtualHost and run it on a non-standard port
  • Only allow HTTPS connections to phpMyAdmin, and not regular HTTP
  • Only allow connections to it from the LAN (use a VPN to get through your firewall, and only allow connections if you're on that LAN/VPN)
  • Don't name the directory it's in something obvious like /phpMyAdmin/

You could also use SSH port forwarding to utilize SSH keys. See https://stackoverflow.com/a/3687969/193494

Solution 2:

Add a .htaccess which only allows local IP access to the phpmyadmin folder.

Solution 3:

Make phpmyadmin available on a vhost that is only accessible from localhost and require users to use ssh and port forwarding to get access to it.

Solution 4:

Use .htaccess

We just toss up an .htaccess file with username/password protection and (depending on the circumstances) IP address.

This allows US to get to the resource quickly and easily from trusted computers but keeps the hackers out.

One other note... don't use the SAME username/password for your .htaccess as you do for PHPMyAdmin... that would be silly. :-)

Hope this helps.