Securing phpMyAdminPosted: April 2, 2017
The things you can do to make your phpMyAdmin less vulnerable to attack:
1. Call it something else.
Normally it is accessed by its alias /phpmyadmin, as defined in the /etc/apache2/conf-enabled/phpmyadmin.conf.
Edit it and rename the alias to something else, something hard for an attacked to guess. You can use apg to generate a random name for it. Restart Apache after you are done.
2. Restrict access to a particular range of addresses
You may chose to allow only local access from localhost, or allow access from the range of your VPN.
Remember that Apache configuration syntax changed as of version is 2.4, so now you have to use Require instead of Order Deny,Allow.
To find out your version:
apachectl -V | grep ‘Server version’
To limit access to phpMyAdmin to allow only connections from localhost and VPN:
Right after the tag add:
Require ip 127.0.0.1
Require ip 10.8.0.0/24
Be aware that anybody who attempts to connect phpMyAdmin form any other address will see a message
You don’t have permission to access […] on this server.”
To avoid that you can rename the alias as described above