Useful Tips to Secure PhpMyAdmin Login Interface
- Change Default PhpMyAdmin Login URL
/etc/phpmyadmin/apache.conf
------------ On CentOS/RHEL and Fedora ------------
# vi /etc/httpd/conf.d/phpMyAdmin.conf
------------ On Debian and Ubuntu ------------
# /etc/phpmyadmin/apache.conf
Then add a new one as follows:
# Alias /phpmyadmin /usr/share/phpmyadmin
Alias /my /usr/share/phpmyadmin
------------ On Debian and Ubuntu ------------
# echo "Include /etc/phpmyadmin/apache.conf" >> /etc/apache2/apache2.conf
------------ On CentOS/RHEL and Fedora ------------
# systemctl restart nginx
# systemctl restart php-fpm
------------ On CentOS/RHEL and Fedora ------------
# systemctl restart httpd
------------ On Debian and Ubuntu ------------
# systemctl restart apache2
------------ On Debian and Ubuntu ------------
# systemctl restart nginx
# systemctl restart php5-fpm
- Enable HTTPS on PhpMyAdmin
- Password Protect on PhpMyAdmin
Add these lines to the Apache configuration file (/etc/apache2/sites-available/000-default.conf or /etc/httpd/conf/httpd.conf):
/etc/apache2/sites-available/000-default.conf – On Ubuntu
<Directory /usr/share/phpmyadmin>
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
/etc/httpd/conf/httpd.conf – On CentOS
<Directory /usr/share/phpmyadmin>
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
Then use htpasswd to generate a password file for an account that will be authorized to access the phpmyadmin login page. We will use /etc/apache2/.htpasswd and tecmint in this case:
---------- On Ubuntu/Debian Systems ----------
# htpasswd -c /etc/apache2/.htpasswd tecmint
---------- On CentOS/RHEL Systems ----------
# htpasswd -c /etc/httpd/.htpasswd tecmint
Enter password twice and then change the permissions and ownership of the file. This is to prevent anyone not in the www-data or apache group from being able to read .htpasswd:
# chmod 640 /etc/apache2/.htpasswd
---------- On Ubuntu/Debian Systems ----------
# chgrp www-data /etc/apache2/.htpasswd
---------- On CentOS/RHEL Systems ----------
# chgrp apache /etc/httpd/.htpasswd
Open your phpmyadmin url and you’ll see the authentication dialog before accessing the login page.
- Disable root Login to PhpMyAdmin
/etc/phpmyadmin/config.inc.php
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowRoot'] = false;
------------- On CentOS/RHEL Systems -------------
# systemctl restart httpd.service
------------- On Debian/Ubuntu Systems -------------
# systemctl restart apache2.service
- Prevent remote usage of phpmyadmin
- Change password frequently
- Check configuration /etc/phpmyadmin