Securing your phpMyAdmin installation ¶

The phpMyAdmin team tries hard to make the application secure, however there are always ways to make your installation more secure:

• Follow our Security announcements and upgrade phpMyAdmin whenever new vulnerability is published.

• Serve phpMyAdmin on HTTPS only. Preferably, you should use HSTS as well, so that you're protected from protocol downgrade attacks.

• Ensure your PHP setup follows recommendations for production sites, for example display_errors should be disabled.

• Remove the test directory from phpMyAdmin, unless you are developing and need a test suite.

• Remove the setup directory from phpMyAdmin, you will probably not use it after the initial setup.

• Properly choose an authentication method - Cookie authentication mode is probably the best choice for shared hosting.

• Deny access to auxiliary files in ./libraries/ or ./templates/ subfolders in your webserver configuration. Such configuration prevents from possible path exposure and cross side scripting vulnerabilities that might happen to be found in that code. For the Apache webserver, this is often accomplished with a .htaccess file in those directories.

• Deny access to temporary files, see $cfg['TempDir'] (if that is placed inside your web root, see also Web server upload/save/import directories.

• It is generally a good idea to protect a public phpMyAdmin installation against access by robots as they usually can not do anything good there. You can do this using robots.txt file in the root of your webserver or limit access by web server configuration, see 1.42 How can I prevent robots from accessing phpMyAdmin?.

• In case you don't want all MySQL users to be able to access phpMyAdmin, you can use $cfg['Servers'][$i]['AllowDeny']['rules'] to limit them or $cfg['Servers'][$i]['AllowRoot'] to deny root user access.

• Enable Two-factor authentication for your account.

• Consider hiding phpMyAdmin behind an authentication proxy, so that users need to authenticate prior to providing MySQL credentials to phpMyAdmin. You can achieve this by configuring your web server to request HTTP authentication. For example in Apache this can be done with:

  AuthType Basic AuthName "Restricted Access" AuthUserFile /usr/share/phpmyadmin/passwd Require valid-user 

  Once you have changed the configuration, you need to create a list of users which can authenticate. This can be done using the htpasswd utility:

  htpasswd -c /usr/share/phpmyadmin/passwd username 

• If you are afraid of automated attacks, enabling Captcha by $cfg['CaptchaLoginPublicKey'] and $cfg['CaptchaLoginPrivateKey'] might be an option.

• Failed login attemps are logged to syslog (if available, see $cfg['AuthLog']). This can allow using a tool such as fail2ban to block brute-force attempts. Note that the log file used by syslog is not the same as the Apache error or access log files.

• In case you're running phpMyAdmin together with other PHP applications, it is generally advised to use separate session storage for phpMyAdmin to avoid possible session-based attacks against it. You can use $cfg['SessionSavePath'] to achieve this.