In this article I will explain some steps you can take to add some additional levels of security to your phpMyAdmin. This article assumes you already have phpMyAdmin installed on a LAMP server stack.
There are two key things you'll want to do to secure your phpMyAdmin:
Use Apache User Authentication
This will prompt you for a username and password combination before you will be able to access phpMyAdmin. It might seem like overkill, since phpMyAdmin has its own user authentication. However, this additional step could make the difference in protecting your databases against potential attackers.
Require Secure HTTP
It's a good idea to require that all user authentication requests made to your server relating to phpMyAdmin be transmitted over secure HTTP. The reason for this is if you log in to a web site over regular HTTP, there is a risk that someone will be able to see your username and password in plain text (see: Man-in-the-middle attack.
If you haven't already done so, you need to Set Up SSL on your Apache Web Server.
You will also need to have the mod_rewrite module enabled in Apache.
How to Do It
Edit the Apache configuration file within phpMyAdmin:
sudo vim /etc/phpmyadmin/apache.conf
Comment out the following line by putting a # in front of it:
Alias /phpmyadmin /usr/share/phpmyadmin
After the line you just commented out, add the following:
DocumentRoot "/usr/share/phpmyadmin" ServerName phpmyadmin.domain-name.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} DocumentRoot "/usr/share/phpmyadmin" ServerName phpmyadmin.domain-name.com AuthType Basic AuthName "phpMyAdmin Authentication" AuthUserFile /etc/phpmyadmin/passwords Require user admin SSLEngine on SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key
At the end of the file, add the following:
Be sure to replace domain-name.com with your site's domain name. Also, make sure that the SSL Certificate / Key paths are correct for your set up.
Finally, you'll need to create the passwords file; where the username / password pair used for authentication will be stored:
sudo htpasswd -c /etc/phpmyadmin/passwords admin
You will be prompted for a password to associate with the admin username.
Restart Apache:
sudo /etc/init.d/apache2 restart
That's it! Now when you go to your phpMyAdmin, you should be forced onto HTTPS and you should see the Apache username / password prompt.