How to secure PhpMyAdmin installation in your Magento website?

Almost Magento users install PhpMyAdmin to manage MySQL database and then they forget to secure it. It’s very important to do this part to make sure no one can touch your PhpMyAdmin panel.

Install PhpMyAdmin

  • If you didn’t install PhpMyAdmin on ubuntu, you can install it by applying command
    sudo apt-get install phpmyadmin
  • Setup public PhpMyAdmin
  • After install PhpMyAdmin you can’t access it via public URL, so you need to make it work by command
    sudo nano /etc/apache2/apache2.conf
  • And then you need to add the PhpMyAdmin configuration to the file
    Include /etc/phpmyadmin/apache.conf
  • Next, you need to restart apache with command
    sudo service apachhe2 restart

Secure PhpMyAdmin access

This is the most important step which helps you secure your PhpMyAdmin. In The older versions of PhpMyAdmin, there are some serious security vulnerabilities especially the dispatch allowing to remote users to exploit root on the underlying virtual private server. There are many things we need to do to prevent attacking PhpMyAdmin

  • Set up the .htaccess file
  • You can do this in the PhpMyAdmin configuration file
    sudo nano /etc/phpmyadmin/apache.conf
  • Under the directory section, add line “AllowOverride All” under “Directory Index”, and then make the section look like below:
    Options FollowSymLinks
    
    DirectoryIndex index.php
    
    AllowOverride All
    
    [...]
  • Configure the .htaccess file

With the .htaccess file allowed, now you can set up a native user whose login will have to access the PhpMyAdmin login page.

  • You can create he .htaccess page in the phpmyadmin directory
    sudo nano /usr/share/phpmyadmin/.htaccess
  • Then set up the user authorization within .htaccess file and copy and paste the text below in
    AuthType Basic
    
    AuthName "Restricted Files"
    
    AuthUserFile /etc/apache2/.phpmyadmin.htpasswd
    
    Require valid-user
    
    Below you’ll see a quick explanation of each line

In which:

  • AuthType: This is type of authentication used to the check the passwords. The passwords are checked via http and the keyword Basic should not be changed
  • AuthName: This is text displayed at the password prompt. You can put nothing here
  • AuthUserFile: This line designates the server path to the password file
  • Require valid-user: It tells the .htaccess file that just users defined in the password file can access the PhpMyAdmin login screen
  • Create the htpassword file

You need to create a htpassword file using htpassword command and place in each directory you want as long as it is impossible to be accessed from browser.

sudo htpassword -c /etc/apache2/.phpmyadmin.htpassword username

*Note: You can set up the password file as you want. In this situation, we use the name .htpassword

  • Then you will be asked to provide and confirm your password. Once you complete successfully, username and passwords will be saved and you can see it encrypted in the file
  • Finally, restart apache sudo service apache2 restart
  • Accessing PhpMyAdmin

Your PhpMyAdmin page will me more and more security if only one authorized users can login. Therefore, you need to access to youripaddress/phpmyadmin and fill in the username and password you set before. Once you completed, you can access your PhpMyAdmin with the MySQL username and password.

That’s all things you need to do to protect your PhpMyAdmin from being attacked.