Securing phpMyAdmin

phpMyAdmin is a web-based tool for managing MySQL databases. The installation mainly consists of extracting the distribution and editing the database authentication information. In this article we will secure phpMyAdmin using a change of the directory name and a .htaccess file. First off, let’s extract the package:

[root@srv-5 webroot]# ls php*
phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]# tar -xjf phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]# ls php* -d
phpMyAdmin-2.6.4-pl3  phpMyAdmin-2.6.4-pl3.tar.bz2
[root@srv-5 webroot]#

At this point, the directory could be guessed. Let’s change the directory to something else:

[root@srv-5 webroot]# mv phpMyAdmin-2.6.4-pl3 secretdir
[root@srv-5 webroot]#

Now, this is security through obscurity; however, as long as users can’t browse your site, and you don’t link to the directory, then it is difficult to find the page. If you are on a shared server, pay particular attention to the file permissions so that others can’t see what directory it is in. You should anyway, but especially if you are on a shared server, as many are. The next step is to create a password file:

[root@srv-5 notinwebtree]# /path/to/apache/bin/htpasswd -c .phpmypass  phpmyus
New password:
Re-type new password:
Adding password for user phpmyus

Note that the password file, .phpmypass, is stored in a directory that is not in the web tree. That is, there is no way that anybody could browse to that file. The next step is to create a .htaccess file in the directory that phpMyAdmin is in:

[root@srv-5 secretdir]# cd secretdir
[root@srv-5 secretdir]# cat .htaccess
AuthUserFile /notinwebtree/.phpmypass
AuthName YourIPisLogged 
AuthType Basic

require valid-user

[root@srv-5 secretdir]#

Now, when users browse to this directory, they will see an authentication box like this:

superfab

Notice that anybody that sees this will see “YourIPisLogged”, which is an additional deterrent. You will also need to set the password with access to your database in the config.inc.php file:

[root@srv-5 secretdir]# vi config.inc.php
$cfg['Servers'][$i]['user']          = 'user';      
$cfg['Servers'][$i]['password']      = 'password';

That is all you need to do. You can now manage your database:

expialidocious