GNU/Linux | Homebrew designs | Perl | Ruby | Administration | Backup/Recovery | Bugs/Fixes | Certification | Database | Email | File/Print | Hardware | Information Grab Bag | Interoperability | GNU/Linux ABCs | Monitoring | Name Resolution | Network Services | Networking | Remote Control | Security | Desktop | Web | BSD | Solaris | GIAGD | ERP | REALbasic

Last 30 Days | Last 60 Days | Last 90 Days | All Articles | RSS

·Homebrew designs
·Information Grab Bag
·GNU/Linux ABCs
·Name Resolution
·Network Services
·Remote Control
·All Categories

Securing phpMyAdmin
Topic:Database   Date: 2005-11-14
Printer Friendly: Print   Mobile View: mobile

<<  <   >  >>


phpMyAdmin is a web-based tool for managing MySQL databases. The installation mainly consists of extracting the distribution and editing the database authentication information. In this article we will secure phpMyAdmin using a change of the directory name and a .htaccess file. First off, let's extract the package:

[root@srv-5 webroot]# ls php*
[root@srv-5 webroot]# tar -xjf phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]# ls php* -d
phpMyAdmin-2.6.4-pl3  phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]#

At this point, the directory could be guessed. Let's change the directory to something else:

[root@srv-5 webroot]# mv phpMyAdmin-2.6.4-pl3 secretdir
[root@srv-5 webroot]#

Now, this is security through obscurity; however, as long as users can't browse your site, and you don't link to the directory, then it is difficult to find the page. If you are on a shared server, pay particular attention to the file permissions so that others can't see what directory it is in. You should anyway, but especially if you are on a shared server, as many are. The next step is to create a password file:

[root@srv-5 notinwebtree]# /path/to/apache/bin/htpasswd -c .phpmypass  phpmyus
New password:
Re-type new password:
Adding password for user phpmyus

Note that the password file, .phpmypass, is stored in a directory that is not in the web tree. That is, there is no way that anybody could browse to that file. The next step is to create a .htaccess file in the directory that phpMyAdmin is in:

[root@srv-5 secretdir]# cd secretdir
[root@srv-5 secretdir]# cat .htaccess
AuthUserFile /notinwebtree/.phpmypass
AuthName YourIPisLogged 
AuthType Basic

require valid-user

[root@srv-5 secretdir]#

Now, when users browse to this directory, they will see an authentication box like this:

Notice that anybody that sees this will see "YourIPisLogged", which is an additional deterrent. You will also need to set the password with access to your database in the file:

[root@srv-5 secretdir]# vi
$cfg['Servers'][$i]['user']          = 'user';      
$cfg['Servers'][$i]['password']      = 'password';

That is all you need to do. You can now manage your database:


Please read our Terms of Use and our Privacy Policy
Microsoft, Windows, Windows Server are either trademarks or registered trademarks of Microsoft Corporation. is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2013