(this post will also appear in our virtual private server blog)
Since phpMyAdmin, the tool to manage MySQL databases and the underlying server engine, is often the target (and one hard to miss!) of intrusion attacks, we feel it might be worth to mention some aspects and tips that could improve the security of your server, be it a dedicated server or a virtual private server (VPS).
- Keep your phpMyAdmin installation up to date. While this doesn’t prevent attacks per se, it makes sure that all old bugs have been fixed;
- Do not allow anyone to access the setup scripts, or remove them altogether;
- Allow access only from trusted IP addresses;
- Move the phpMyAdmin installation away from the default path /phpMyAdmin and outside the webserver root;
- Possibly even add another authentication on top of the phpMyAdmin authentication to prevent robots and brute force attackers obtaining valid user credentials directly;
(1) and (2) should be mandatory for every phpMyAdmin installation;
(3) is a good idea, but might not be feasible for you, or the range of allowed IPs is so large that it won’t matter anyway. It also requires some minor webserver configuration changes;
(4) and (5) require additional meddling with the webserver configuration, something that might be hard to do if you are running a control panel on top of your dedicated server or virtual private server.
Please note that intrusions into servers via a phpMyAdmin attack vector are very common, if you care to have a look at your webserver logfile, you will inevitably find a lot of random accesses to /phpmyadmin in several variations, and hopefully they are all followed by denied or unauthorised response codes from your webserver. phpMyAdmin is not the only way to break in of course, but an outdated or open phpMyAdmin version on a server is like a red cloth for a bull…
phpMyAdmin is not being updated that frequently, but if a security issue arises, you should be fast to close that door – consider going for the managed option with your contract, it will take this load off your shoulders and give you peace of mind as such options typically cover security updates.