Securing phpMyAdmin

phpMyAdmin is a web-based tool for managing MySQL databases. The installation mainly consists of extracting the distribution and editing the database authentication information. In this article we will secure phpMyAdmin using a change of the directory name and a .htaccess file. First off, let’s extract the package:

[root@srv-5 webroot]# ls php*
[root@srv-5 webroot]# tar -xjf phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]# ls php* -d
phpMyAdmin-2.6.4-pl3  phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]#

At this point, the directory could be guessed. Let’s change the directory to something else:

[root@srv-5 webroot]# mv phpMyAdmin-2.6.4-pl3 secretdir
[root@srv-5 webroot]#

Now, this is security through obscurity; however, as long as users can’t browse your site, and you don’t link to the directory, then it is difficult to find the page. If you are on a shared server, pay particular attention to the file permissions so that others can’t see what directory it is in. You should anyway, but especially if you are on a shared server, as many are. The next step is to create a password file:

[root@srv-5 notinwebtree]# /path/to/apache/bin/htpasswd -c .phpmypass  phpmyus
New password:
Re-type new password:
Adding password for user phpmyus

Note that the password file, .phpmypass, is stored in a directory that is not in the web tree. That is, there is no way that anybody could browse to that file. The next step is to create a .htaccess file in the directory that phpMyAdmin is in:

[root@srv-5 secretdir]# cd secretdir
[root@srv-5 secretdir]# cat .htaccess
AuthUserFile /notinwebtree/.phpmypass
AuthName YourIPisLogged 
AuthType Basic

require valid-user

[root@srv-5 secretdir]#

Now, when users browse to this directory, they will see an authentication box like this:


Notice that anybody that sees this will see “YourIPisLogged”, which is an additional deterrent. You will also need to set the password with access to your database in the file:

[root@srv-5 secretdir]# vi
$cfg['Servers'][$i]['user']          = 'user';      
$cfg['Servers'][$i]['password']      = 'password';

That is all you need to do. You can now manage your database: