Lock down your phpMyAdmin access!

June 12, 2013 — 5 Comments

There are a couple of ways that I lock it down.. I won’t get into specifics because I don’t want you (or you!) trying to find it, but I can’t count the number of times I’ve seen an old phpMyAdmin install just sitting on someone’s server waiting for someone to type in the correct login and password and screw up your day. The following are a couple good-practice ways to lock it down so that you don’t have to lose sleep over wondering if someone’s going to get in easily.

Rename your phpmyadmin alias:
Edit: /etc/httpd/conf.d/phpmyadmin.conf

Look for:

(or something like that… )

and change it to something like:

Restrict access to your known ip address:
Edit /etc/httpd/conf/phpmyadmin.conf

At the top of the file you’ll see something like:

Modify it to only allow the ip addresses that you’ll connect from:

Restart apache and test it out!

5 responses to Lock down your phpMyAdmin access!

  1. Great tip and guide! It is amazing how many people just leave their server completely open and vulnerable. It is hard to find an unsecured wireless hotspot but you can gain access to an unsecured server almost effortlessly. Doesn’t make much sense, does it? I hope everyone reading this that has a server follows this guide.

    • I agree with you completely. It doesn’t make sense to me either. Like they say, “An ounce of prevention is worth a pound of cure.” And these days, that cure can be quite expensive! This article is quite clear and easy to follow. People are running out of excuses to for why their servers are not secure.

  2. Restricting access by ip address is a great way to lock those tools down. A great trick is to use an SSH tunnel/VPN to connect to the machine, or another machine within the same network. That way you can securely access your admin tools from anywhere, while limiting your allowed ip addresses to only one or two locations.

  3. This is a good idea for keeping your phpMyAdmin locked down. I ran a server for a short while, and you can’t be sure if your access to the server is locked down or not. Most people that visit a website won’t really care about hacking it, but it only takes one person to make your day suck. Definitely bookmarking this for if I start another website.

  4. Is it possible to lock access to any single database and not all in phpmyadmin ?

Leave a Reply