Securing phpMyAdmin on a Shared Server

Nowadays, most of the web hosts have in-built support for phpMyAdmin. But there are quite a few web hosts which do not support phpMyAdmin and you have to manually install it. I had to do the same with my webhost, FutureQuest (Affiliate link), though I am very happy with their services as yet.

Installing phpMyAdmin is not a very difficult preposition but by default it operates in the least secure way which is useful for local server only. Hence it becomes extremely essential to secure phpMyAdmin, else all your website data would be open to smart users of the internet. The following tips would ensure nobody gets access to your database even by accident!

The default Security

As I said before, the default security employed by phpMyAdmin is no security in any sense! It gives direct access to the panel which can be useful on a personal development server only as it doesn’t ask for username and password at all. As the phpMyAdmin directory resides in the web-accessible area, the default security cannot be applied on your web host server.

Moreover, in this type of security, the MySQL username and password are stored in plain text inside the phpMyAdmin directory which is highly undesirable even though it might not be a threat if necessary care is taken through server configuration.

This default security is called as ‘config’ in terms of phpMyAdmin.

So what’s the solution?

The best solution to implement on a phpMyAdmin server is to use the ‘HTTP Authorization’ mode defined as ‘http’ in terms of phpMyAdmin. This takes care of both the problems that arise due to the default security settings. It doesn’t allow direct access to the panel but asks for a username and password. This username and password need not be stored in the configuration file of phpMyAdmin which is accessible through the web tree.

Implementing HTTP Authorization

Here, I would be telling you the easiest and quickest way of securing phpMyAdmin. But before implementing it, few constraints should be met by your web host.

• Your web host employs Apache web server.
• .htaccess editing should be enabled on the server.
• Telnet should be supported by your web host.

If you have chosen a good web host, the above services should be already enabled.

Step 1: Installing phpMyAdmin

First of all, install phpMyAdmin on your web server. Here’s a step-by-step guide to installing phpMyAdmin. While choosing the directory name of phpMyAdmin, try to keep it as random as possible and avoid using obvious names like phpMyAdmin, pma etc. This is actually Security through Obscurity but it is useful all the same!

Step 2: Creating the password file

Connect to your web server via Telnet using the following command:

Microsoft Telnet> open IP-address-of-your-server

Navigate to the bin directory which should be outside the web-tree (inaccessible via web). Use the following command to create the password file.

[rootuser@servername]$ cd /path/to/apache/bin
[rootuser@servername:/path/to/apache/bin ]$ htpasswd -c .pmapassfile mysql_username
New password:
Re-type new password:
Adding password for user username

The [rootuser@servername]$ is the prompt after which commands are placed. The above command contains the path to the bin directory. If you are unsure of this path, use an FTP client (like SmartFTP) to login to your server. It will show the complete file-tree of your server.

The .pmapassfile is the name of the filename which will store the username and password. You can choose any name you like but ensure that it starts with a dot.

Remember to use the mysql username and password for access to phpMyAdmin. Enter the password twice to confirm it. Since we are using http authentication, we can manually edit the config.inc.php file to set the authentication to http. There is no need to give username and password for control user of phpmyadmin.

Now, you have created the password file to be used for HTTP authentication. Since it is outside the web-tree, nobody can browse that file.

Step 3: Creating the .htaccess file

You can perform this step without Telnet also. Navigate to the phpMyAdmin directory and create a .htaccess file with the following contents:

AuthUserFile /path/to/apache/bin/.pmapassfile
AuthName RestrictedZoneBeware
AuthType Basic

require valid-user

The server name RestrictedZoneBeware will act as a deterrent and stop unwanted users from going further. You can choose it to anything you like!

Now, if you open phpMyAdmin through the browser, instead of getting direct access to the panel, you will get an authentication box as shown below:

Since nobody except you knows the name of the directory and if you don’t give a direct link to it, it is highly unlikely that anybody would reach that page. Thus, you have secured your phpMyAdmin installation!

Be up-to-date with your computer. Subscribe to our RSS feed!

---

If you enjoyed the post, please digg it, stumble it or delicious it.

---