How to Protect and Secure PHPMyAdmin in Production Server

Posted by

The following are some guidelines for securing phpmyadmin in production:

Modify the Default Directory:

Rename the default “phpmyadmin” directory to something less obvious to thwart attackers’ simple discovery.
Change the name in the configuration file (such as /etc/phpmyadmin/apache.conf).

The similar setting for Ubuntu 9.10 and Apache2 may be found in the file /etc/apache2/conf.d/phpmyadmin.conf, which is a reference to /etc/phpmyadmin/apache.conf. The document includes

Alias /phpmyadmin /usr/share/phpmyadmin

where the first /phpmyadmin should be changed to something different if one wants to avoid the unnecessary activity, e.g.:

Alias /secret /usr/share/phpmyadmin

Restrict Access:

The first step in securing phpMyAdmin is to restrict who can access it. This can be done by configuring your server to only allow certain IP addresses or domains to access the phpMyAdmin directory. For example, if you’re using Apache, you can add an Alias directive in your configuration file to specify the path to phpMyAdmin and then use a block to restrict access 1.

 Alias /phpmyadmin "/usr/share/phpmyadmin"
<Directory "/usr/share/phpmyadmin">
   Order deny,allow
   Deny from all
   Allow from YOUR_IP_ADDRESS

Use Strong Authentication:

Set a strong password for the phpMyAdmin login.
Enable Two-Factor Authentication (2FA) if your phpMyAdmin version supports it. Encryption:

Enforce HTTPS: Require HTTPS for all phpMyAdmin connections to encrypt data in transit and protect against eavesdropping. Obtain and install a valid SSL/TLS certificate.

Disable Root Login: Disable root login to phpMyAdmin and use a dedicated user account with appropriate privileges.

Set Maximum Login Attempts: Configure phpMyAdmin to limit the number of login attempts. This helps prevent brute-force attacks.

Regular Backups: Schedule regular backups of your database. In the event of a security incident, you can restore your data.

Directory & File Permissions: Ensure correct permissions on directories and files. Avoid 777 permissions.

Limit who can access your XAMPP server. Give access to your XAMPP server only to those you can trust. This can be accomplished by preventing access from unauthorised IP addresses using a firewall.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x