Securing phpMyAdmin

phpMyAdmin is secure for general usage in it’s default configuration. However additional steps can be taken to make it further secure.

Securing phpMyAdmin involves the following step.
1) Adding SSL support

 

1) Adding SSL support
NOTE: First, make sure you have configured Apache HTTP Server for SSL as explained here.
Open Apache HTTP Server‘s SSL configuration file httpd-ssl.conf. Add the following content to end of file.
NOTE:
• Replace 192.168.0.100 with IP address of your machine.
• Replace phpmyadmin.example.com with the URL you intend to access phpMyAdmin.

<VirtualHost 192.168.0.100:443>

DocumentRoot "/usr/local/apache2/phpmyadmin"
ServerName phpmyadmin.example.com
ServerAdmin root@localhost
ErrorLog "/usr/local/apache2/logs/ssl-phpmyadmin.example.com-error_log"
TransferLog "/usr/local/apache2/logs/ssl-phpmyadmin.example.com-access_log"

<Directory "/usr/local/apache2/phpmyadmin">
AllowOverride AuthConfig Limit
Require all granted
</Directory>

<Directory "/usr/local/apache2/phpmyadmin/libraries">
Require all denied
</Directory>

<Directory "/usr/local/apache2/phpmyadmin/setup/lib">
Require all denied
</Directory>

<Directory "/usr/local/apache2/phpmyadmin/setup/frames">
Require all denied
</Directory>

SSLEngine on

SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

<FilesMatch ".(shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

BrowserMatch "MSIE [2-5]" 
nokeepalive ssl-unclean-shutdown 
downgrade-1.0 force-response-1.0

CustomLog "/usr/local/apache2/logs/ssl-phpmyadmin.example.com-request_log" 
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

</VirtualHost>

Save and close the file.


Restart the apache service gracefully.

# service apache graceful


Now we can access our phpMyAdmin installation over SSL using the following URL.

https://phpmyadmin.example.com


Suppose we want to forced SSL when using phpMyAdmin.
That is if we type http://phpmyadmin.example.com in the address bar of web browser, it must get redirected to https://phpmyadmin.example.com.

Add the following line to the end of config.inc.php.

$cfg['ForceSSL'] = true;

From now on, if we try to access phpMyAdmin via http://phpmyadmin.example.com, it will be redirected to https://phpmyadmin.example.com.

 

 

 

After securing phpMyAdmin, it is recommended to view the following section.
Customizing phpMyAdmin