In this article I will explain some steps you can take to add some additional levels of security to your phpMyAdmin. This article assumes you already have phpMyAdmin installed on a LAMP server stack.


There are two key things you'll want to do to secure your phpMyAdmin:

Use Apache User Authentication

This will prompt you for a username and password combination before you will be able to access phpMyAdmin. It might seem like overkill, since phpMyAdmin has its own user authentication. However, this additional step could make the difference in protecting your databases against potential attackers.

Require Secure HTTP

It's a good idea to require that all user authentication requests made to your server relating to phpMyAdmin be transmitted over secure HTTP. The reason for this is if you log in to a web site over regular HTTP, there is a risk that someone will be able to see your username and password in plain text (see: Man-in-the-middle attack.

If you haven't already done so, you need to Set Up SSL on your Apache Web Server.

You will also need to have the mod_rewrite module enabled in Apache.


How to Do It

Edit the Apache configuration file within phpMyAdmin:

sudo vim /etc/phpmyadmin/apache.conf

Comment out the following line by putting a # in front of it:

Alias /phpmyadmin /usr/share/phpmyadmin

After the line you just commented out, add the following:

        DocumentRoot "/usr/share/phpmyadmin"        ServerName phpmyadmin.domain-name.com        RewriteEngine On        RewriteCond %{HTTPS} off        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}        DocumentRoot "/usr/share/phpmyadmin"        ServerName phpmyadmin.domain-name.com                  AuthType Basic          AuthName "phpMyAdmin Authentication"          AuthUserFile /etc/phpmyadmin/passwords          Require user admin                SSLEngine on        SSLCertificateFile    /etc/apache2/ssl/server.crt        SSLCertificateKeyFile /etc/apache2/ssl/server.key

At the end of the file, add the following:

Be sure to replace domain-name.com with your site's domain name. Also, make sure that the SSL Certificate / Key paths are correct for your set up.

Finally, you'll need to create the passwords file; where the username / password pair used for authentication will be stored:
sudo htpasswd -c /etc/phpmyadmin/passwords admin
You will be prompted for a password to associate with the admin username.

Restart Apache:
sudo /etc/init.d/apache2 restart

That's it! Now when you go to your phpMyAdmin, you should be forced onto HTTPS and you should see the Apache username / password prompt.