How to Secure Your phpMyAdmin Installation (Apache)
The first step in securing phpMyAdmin is to change the default directory Alias/Symlink that is used to serve phpMyAdmin.
By default, any user can access phpMyAdmin if they visit the expected URL: https://yourdomain.com/phpmyadmin/

This poses a security risk as attackers are aware of that URL and can access it without restriction.
To avoid this, take the following actions to create a new Alias and change the URL where phpMyAdmin is found.

  Change the phpMyAdmin Folder Alias  
Open the file /etc/phpmyadmin/apache.conf with a text editor and find the Alias line, the default should look like this:

Alias /phpmyadmin /usr/share/phpmyadmin

  • If the ServInfo Client is installed it will detect the insecure URL and generate a random token for this purpose.
  • This token, if used, will allow ServInfo to provide a link to the new phpMyAdmin URL in the Client and Dashboard


    • It is recommended to append the phpmyadmin Alias with characters from a random string generator as shown below:

    Alias /phpmyadmin-f73r862b /usr/share/phpmyadmin

     
    Once the Alias has been updated, save, exit your editor and restart apache:

    systemctl reload apache2

     
    phpMyAdmin will now be available only at the new URL: https://yourdomain.com/phpmyadmin-f73r862b/

      This prevents indiscriminate use of the default URL, but provides no actual security should this obscure URL be discovered.  

    If it is preferred that phpMyAdmin can be accessed from the internet, you can increase security by making use of the .htaccess file password capability. This prevents access to the installation folder unless the proper credentials are provided, and is in addition to the database user login required by phpMyAdmin. Follow these steps to activate .htaccess password protection.

      Password Protect the phpMyAdmin Folder  
    For the password and/or IP based security to work, we must first add AllowOverride All to the Directory section of the file /etc/phpmyadmin/apache.conf using a text editor, save and exit once your file looks like the following sample:

    <Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All

     
    Next we will need to create or edit the file /usr/share/phpmyadmin/.htaccess per the example below, then save and exit:

    AuthType Basic
AuthName "Stay Away"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

     
    Now we must create the user and password credentials with the htpasswd utility, replacing ‘username’ with the user name of your choice. When the command is run, you will be prompted to specify a new secure password to complete the setup:

    htpasswd -c /etc/phpmyadmin/.htpasswd username

     
    Restart apache to apply the changes and activate password protection:

    systemctl reload apache2

     

      Make note of the username and password as they will now be required before access to phpMyAdmin is granted.

    As an additional or optional security measure, you can restrict access to a specific IP address, set of IP addresses or subnet of IP addresses. This is the best option in certain situations where static IP addresses are in use or internet access is not required. However, if LAN or WAN dynamic IP addresses are in use, you may find yourself locked out if an IP address changes.

      Restrict Access to Specific IP Address or Subnet  

  • To enter an IP subnet instead of a single address, enter only the unique part of the subnet like so: Allow from 192.168


    • IP restriction is configured in the Directory section of the file /etc/phpmyadmin/apache.conf. To deny access for all IP addresses, then grant access to a specific IP or subnet, add the following to the file making sure to use your IP information:

        Order Deny,Allow
    Deny from All
    Allow from 192.168.1.1

     
    For referance, here is a sample version of the file /etc/phpmyadmin/apache.conf with all the security edits in place:

    Alias /phpmyadmin-f73r862b /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All
    # limit libapache2-mod-php to files and directories necessary by pma
    <IfModule mod_php7.c>
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/: ...
    </IfModule>
    Order Deny,Allow
    Deny from All
    Allow from 192.168.1.1
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>

     
    Restart apache to apply the changes and activate IP based access restriction:

    systemctl reload apache2
    Subscribe
    Notify of
    guest

    0 Comments
    Inline Feedbacks
    View all comments