Securing phpMyAdmin

30 Apr 2013

php, security

I run phpMyAdmin for a number of websites and (thanks StackOverflow), this is my check list for phpMyAdmin Security.

What gets done depends a lot on the client’s webhost and how much control I have, but this is a short list of things which can be done.

1. Change the folder location
   I’ve changed the application folder the obvious ones such as phpMyAdmin or pma to something a little less predictable; databaseliveshere or folder name of your choice.
2. Passwords
   This is rather duh, but no harm in stating the obvious. Secure passwords which are proof against a brute-force attack
3. Limit Access by IP Address
   This depends on how many people are accessing phpMyAdmin, and whether everyone has a static IP address, but I like to setup .htaccess so it restricts access to a subset of IP addresses.

   <limit GET> 
       order deny,allow 
       deny from all 
       allow from 81.95.39.134 
   </limit>
   

4. Root shouldn’t have access to phpMyAdmin
   I edit the config file for phpMyAdmin and set AllowRoot to false
5. HTTPS
   I set up a self-signed security certificate so I can access phpMyAdmin via https. This way the login and password can’t be leaked to an attacker.

Names Changed to Protect the Guilty

3 Jul 2012

programming, security, user-support

This came to me via one of my clients – they were talking about problems they’d had with another web developer.

The site in question is a standard ecommerce site where users have to register as part of the checkout process, and login to get downloads, and special discounts. Problem started when the site owner got this email from one of their customers.

Basically, some script kiddies had hacked the site and posted all email addresses and passwords online with lots of (in)appropriate “ha ha, we got you good!” messages

Read More