Almost Magento users install PhpMyAdmin to manage MySQL database and then they forget to secure it. It’s very important to do this part to make sure no one can touch your PhpMyAdmin panel.
- If you didn’t install PhpMyAdmin on ubuntu, you can install it by applying command
sudo apt-get install phpmyadmin
- Setup public PhpMyAdmin
- After install PhpMyAdmin you can’t access it via public URL, so you need to make it work by command
sudo nano /etc/apache2/apache2.conf
- And then you need to add the PhpMyAdmin configuration to the file
- Next, you need to restart apache with command
sudo service apachhe2 restart
Secure PhpMyAdmin access
This is the most important step which helps you secure your PhpMyAdmin. In The older versions of PhpMyAdmin, there are some serious security vulnerabilities especially the dispatch allowing to remote users to exploit root on the underlying virtual private server. There are many things we need to do to prevent attacking PhpMyAdmin
- Set up the .htaccess file
- You can do this in the PhpMyAdmin configuration file
sudo nano /etc/phpmyadmin/apache.conf
- Under the directory section, add line “AllowOverride All” under “Directory Index”, and then make the section look like below:
Options FollowSymLinks DirectoryIndex index.php AllowOverride All [...]
- Configure the .htaccess file
With the .htaccess file allowed, now you can set up a native user whose login will have to access the PhpMyAdmin login page.
- You can create he .htaccess page in the phpmyadmin directory
sudo nano /usr/share/phpmyadmin/.htaccess
- Then set up the user authorization within .htaccess file and copy and paste the text below in
AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/apache2/.phpmyadmin.htpasswd Require valid-user Below you’ll see a quick explanation of each line
- AuthType: This is type of authentication used to the check the passwords. The passwords are checked via http and the keyword Basic should not be changed
- AuthName: This is text displayed at the password prompt. You can put nothing here
- AuthUserFile: This line designates the server path to the password file
- Require valid-user: It tells the .htaccess file that just users defined in the password file can access the PhpMyAdmin login screen
- Create the htpassword file
You need to create a htpassword file using htpassword command and place in each directory you want as long as it is impossible to be accessed from browser.
sudo htpassword -c /etc/apache2/.phpmyadmin.htpassword username
*Note: You can set up the password file as you want. In this situation, we use the name .htpassword
- Then you will be asked to provide and confirm your password. Once you complete successfully, username and passwords will be saved and you can see it encrypted in the file
- Finally, restart apache sudo service apache2 restart
- Accessing PhpMyAdmin
Your PhpMyAdmin page will me more and more security if only one authorized users can login. Therefore, you need to access to youripaddress/phpmyadmin and fill in the username and password you set before. Once you completed, you can access your PhpMyAdmin with the MySQL username and password.
That’s all things you need to do to protect your PhpMyAdmin from being attacked.