How To Secure phpMyAdmin for XAMPP Server

PostDateIconWednesday, 18 February 2009 09:51 | PostAuthorIconWritten by NetworkNerd007 | PDF Print E-mail

This article describes a few different things you can do to secure your MySQL database and phpMyAdmin access. This tutorial was created based on a Windows XAMPP server, but it can be used on other Apache server configurations if you use the correct directories for your server.

INTRODUCTION

Protecting your MySQL databases should be one of your top priorities if you're using scripts that store information in them. Things like blogs, forums, and CMS programs such as Joomla all store the majority of your website's content in their SQL databases. This includes things such as usernames, their passwords, article content, blog posts and a lot more. If someone mischievously accesses your databases, they can alter and/or delete your content as well as even lock you out of your own MySQL database by changing the root password if they gain access to it.

Since you've probably invested hours of hard work into creating your website(s) and it's content, this can be disastrous to say the least. While backups will quickly get you back up and going again, it can be very difficult to tell what may have been altered and if you're using several databases, it can be very difficult to get all of your databases back online and restored.

Your best choice is to make it secure up front and do your best to minimize the possibility of such an attack before it ever has a chance to happen.

 

TWO TUTORIALS
I've created two tutorials, a written tutorial and a video tutorial.
I recommend the written one, as I've been much more thorough in it than in the video tutorial.
If you decide to use the video tutorial instead, I recommend at least reading the next section, The Most Common Mistakes Made before proceeding to watch the video.

If you want to use the written tutorial, just read on.
If you want to skip to the video tutorial, CLICK HERE.

 

THE MOST COMMON MISTAKES MADE

Weak passwords - This is probably the most common problem. Since it's a habit to want to use passwords we can easily remember, this often leads us to using things like phone numbers, birthdays, names, or other things similar. The problem is these are very insecure passwords and for a hacker, they can be very easy to crack and decode. It is a bit of a hassle to use secure passwords, because they're almost impossible to remember and therefore you will have to have them written somewhere, which makes it a hassle when you have to access something. But this can almost completely stop an attacker from accessing your database and should be regarded as the most important measure of security you can take to protect yourself.

Using the root username and password - This is an absolute no no. Your root user account should NEVER be used to access a database for your script. This information should be used only for maintenance and never as the username and password settings for your php script. The root user has access to all of the databases on your MySQL server and ALL privileges as well, which in the wrong hands can be devastating.

Using the same username and password for every database - This is very tempting to do out of simplicity and ease, but a bad idea. Each new database you create should be assigned a new username and password for that database and the same user shouldn't have access to any more than just the one database. This is a safety measure in the fact that if someone does hack that user's MySQL database information, they will only be able to access the database assigned to that user and not any of the other databases. This can protect your other databases from being hacked if the one was made vulnerable due to a flaw in the scripts coding.

Public access to phpMyAdmin - This one is a little tricky, because there's many cases you may have to have this enabled and that's fine. But you can greatly reduce your vulnerability by making phpMyAdmin only accessible from your LAN or your server's computer. I show how to do this in the tutorial if this is an option you wish to try or consider.

Sharing your information - This may sound stupid, but this can often be the worse mistake you can make. I suggest not sharing your root access with ANYONE, bottom line. Unless you fully trust them, this can turn around and bite you. If they store the information irresponsibly or have spyware on their computer, your secure information can easily be leaked to someone you really don't want to have access. And then there's the factor if they aren't as trustworthy as you thought they were . . . Carefully consider who you give access to your databases and what level of access they have.

 

DIFFERENT WAYS TO PROTECT PHPMYADMIN

There's a few ways I know of to protect your phpMyAdmin access and there's most likely more that I don't know of, but here's a few things to get you started.

htaccess and htpasswd

These two files can be an incredible help to make your phpmyadmin access secure. You can use the htaccess file by itself to control what IP's have access to the phpmyadmin or you can use them both together to require a username and password to gain access to the phpMyAdmin login page. This is great and can offer an extra level of security. Here's how to do those.

Use htaccess to limit or block access to phpmyadmin by IP

To allow from a single or multiple IPs and block access from all others, you can use this in your .htaccess file

Order allow,deny
Allow from 127.0.0.1

You can add additional IPs by simply putting a space between them. Example:

Allow from 127.0.0.1 192.168.1.100

In order to save your file in Windows, you need to enter this as your file name when prompted:

".htaccess"

By using the quotations, Windows will let you save it this way. Windows doesn't like the filename beginning with a period.

Now place the .htaccess file in your phpMyAdmin folder and it should work.

 

Use .htaccess and .htpasswd to password protect phpMyAdmin login

This is probably the choice most will want to use, especially if you don't want to disable the ability to access your database remotely. When someone tries accessing the phpMyAdmin login area, they will be prompted for a username and password prior to being able to access the phpMyAdmin login page, similar to this:

security_2009-02-18_11-55-22

The .htaccess file

AuthName "Authorized User"
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user

"Authorized User" can be changed to whatever you like.
AuthUserFile should be defined as the full path to your .htpasswd file, including .htpasswd at the end. You don't have to use .htpasswd for the password file name, but it's highly recommended.

The .htpasswd file

username:password

You can define as many username and password combinations as you like here. You can even use encrypted passwords in this file. (See my tutorial on .htaccess and .htpasswd for more info.)
It is highly recommended you do NOT put this file in any publically accessible folder, such as in the htdocs folder or any of it's sub directories. If you do not have root access to your server, then you may not have any choice, but it's always a good idea to but this in a folder below your public ones. For example, C:/xampp/ or C:/ .

The .htpasswd file can be named anything you like, but XAMPP and many Apache installations are set by default to prohibit access to any files beginning with .ht, therefore making them more secure. If you're storing the password file in a root folder, then it won't matter.

 

"Allow from" Directive

This directive can be set if you're using an Alias for phpMyAdmin, which XAMPP does use. It can also be used in a .htaccess file as shown above. If you're using XAMPP, you can define this in the /xampp/apache/conf/extra/httpd-xampp.conf file. Find the following entry and then look for the Allow from all directive and change it to what you like.

Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
<Directory "C:/xampp/phpMyAdmin">
AllowOverride AuthConfig
Order allow,deny
Allow from 127.0.0.1
</Directory>

As stated above, you can set this to different IPs if you like and include as many as you need to.

** About using domain names with the "Allow from" directive**

If you look up the "Allow from" directive, you will see you can specify "Allow from domain.com". But the chances are, if you try this you will get the 403 - Access Denied. The reason being is because in order for this to work, a reverse lookup of your domain name must be successful. In other words, when you point your domain name to your IP, a DNS server tells anyone accessing your domain name that Your Domain Name = Your IP. A reverse lookup has to say Your IP = Your Domain Name. This must be configured by your ISP and unless you have a static IP and/or a business account, they probably will not do this for you.

One user, one database

As I stated above, you should NEVER use the root username and password for access to your database when setting up a script. The root user account should only be used for maintenance and for you to create new databases, new users, and assigning permissions.

The best practice is when creating a new database, create a new user for only that database. To do this, follow these steps.

1.) Log into your phpMyAdmin panel as the "root" user.

security_2009-02-17_18-48-07

 

2.) If necessary, create the new database now. Then click on the "Home" button as highlighted here.

security_2009-02-18_11-43-33

 

3.) Next click on the "Privileges" tab.

security_2009-02-18_11-44-27

 

4.) Now scroll down and select "Add New User".

security_2009-02-18_11-45-13

 

5.) Now fill out the information for the new user.

You can set the username to whatever you like.
The Host should be set to "localhost".
For the password, you can either specify your own or have phpMyAdmin automatically generate one for you. If you use the "Generate" button, you can copy/paste the password some where safe for future reference and a to add it to your configuration file for the script you are setting up.
Click "Copy" to automatically add the generated password to the two password fields.

Under "Database for user", click "None".

security_2009-02-18_11-46-31

Under "Global Privileges", I recommend leaving them all unchecked.
security_2009-02-18_11-47-33

You can set Resource limits if you like, but make sure you know what you're doing. If you set them too low, you can cause problems and the script may not work correctly. I recommend leaving these as they are unless you know what you're doing.
Once you're finished, click "Go".

security_2009-02-18_11-47-52

You should see this after clicking Go if everything was successful.

security_2009-02-18_11-48-31

 

6.) Now scroll down and select the database under "Database-specific privileges" and click Go.

security_2009-02-18_11-49-14

 

7.) Now select the privileges you want the user to have.

I usually select everything but the Administration column. If you select too few, your script may have errors running because it doesn't have adequate amount of permissions.
Click "Go" once you've finished.

security_2009-02-18_11-50-04

 

That's it!
Now just use the new username and password for the script you are trying to install and configure.

When you decide to install a new script, simply repeat these steps for each new database.


VIDEO TUTORIAL:

I've created two videos for this article. The first one shows you how to secure phpmyadmin.
The second one shows an example of what an attacker could do if they gained access to your phpMyAdmin.

Securing phpMyAdmin

phpMyAdmin Hacked!

CONCLUSION:

By using these methods, you will greatly reduce the possibility of your MySQL database getting hacked. If however your database does get attacked, you should change the username and password of whatever database was hacked. You will also need to update the configuration file(s) for whatever script(s) are using the databases affected.
If you need help finding these settings for popular scripts such as WordPress, phpBB, or some of the others I have listed on my site, please post in the forums and I'll help you find the settings you need to change.



Comments
Add New Search RSS
this is amazing tutorials
kam Y-m-d H:i:s
This tutorial is super. thanks for the videos cleared everything..
Reply | Quote
Password video question
Linda Y-m-d H:i:s
I tried to follow the video, but I am using Lite XAMPP and the information in
the part where you changed the IP address is not the same -- I could not find
where it say Allow all in the Alias





Reply | Quote
Leave feedback
Name:
Your email:
 
Website:
Message Title:
Formatting:
[b] [i] [u] [url] [quote] [code] [img] 
 
:angry::0:confused::cheer:B):evil::silly::dry::lol::kiss::D:pinch:
:(:shock::X:side::):P:unsure::woohoo::huh::whistle:;):s
:!::?::idea::arrow:
Enter the text as you see it in the image.

!joomlacomment 4.0 Copyright (C) 2009 Compojoom.com . All rights reserved."

Last Updated (Thursday, 06 August 2009 15:24)

 

!!REMEMBER: Support Forums!!

I still keep getting requests for support in the comments of posts and unfortunately I cannot give adequate responses due to the fact there's limited space and it just isn't the right place for support.
I therefore am encouraging visitors to PLEASE go to http://forum.myownserver.info for any support related questions. You will NOT receive any spam or anything you don't specifically subscribe to! I'm very meticulous about this myself and if at any time you need help stopping notifications from posts you previously subscribed to, contact me and I will promptly fix the issue.

Thank you for your participation in this!

Open SourceApache HTTP Server ProjectMySQLPHP
Twitter Feed
MyOwnServer
MyOwnServer
28.04.10
Ubuntu 10.04 Lucid releases tomorrow and it's going to be great! Read my overview at http://is.gd/bMiiL
24.04.10
New http://myownserver.info website in the works! Check it out at http://myownserver.info/wiki/ and feel free to contribute.
17.04.10
Petition to bring development on Rapache back! If you like Rapache, please participate in this! http://wp.me/prBVg-1n
14.04.10
New configuration tutorial for exim4. If you are savvy with exim4, please give me a shout! http://bit.ly/cPYtSP
31.12.09
Finally! Want to set your server up to send emails via your PHP scripts? Check out my tutorial on Exim4 on Ubuntu! http://wp.me/ppEQZ-4d
29.12.09
Have you ever wanted to create your own personal URL shortening/re-direct service? Here's a very simple how-to: http://tinyurl.com/ykgx79l
24.12.09
Merry Christmas to everyone!
14.12.09
Check out this cool forum script running on a text file database! No mysql database needed! Myupb is this and more. http://tiny.cc/myupb
11.12.09
Concrete 5 – A really cool, easy to use CMS script! Start building your website with this free app! http://tiny.cc/dWncn
03.11.09
I decided to start my own IRC channel since I'm on it quite often anyways. Join me on channel #myownserver.info .
16.09.09
Tutorials on creating your own bittorrent setup is finished! Read more at http://tinyurl.com/bittorrent-how-to
16.09.09
Make your own torrent server and tracker tutorial coming soon!
15.09.09
Finished posting Drupal 6.13 on XAMPP tutorial. http://tinyurl.com/drupal613
14.09.09
I re-wrote the port forwarding tutorial and added a video tutorial to it as well. http://tinyurl.com/portforwardingtutorial
13.09.09
Can you make PHP 5.2 and PHP 5.3 run on a single Apache2 server? If so, PLEASE contact me and share how to do so! Thanks.
12.09.09
XAMPP 1.7.2 Hybrid project completed and was successful. Read the results at http://tinyurl.com/xampp172-hybrid
11.09.09
Hybrid XAMPP . . . I really need a life. Read about it at http://tinyurl.com/hybridxampp
11.09.09
@adriandenoon At Drupal, read this: http://tinyurl.com/nobaddrupal . Although, I'm writing a new post with encouraging news now!
11.09.09
@adriandenoon I've already got a tutorial on installing WordPress. . . http://tinyurl.com/l22jbw Not sure what platform you're on though.
10.09.09
I need some ideas for some tutorials. Is there something you want to see? Send me a message and I'll look into it!
Make a Donation
This site does not run ads nor does anyone fund it. The owner and author is unemployed and pays for it himself, so if you're feeling generous, please make a donation of any amount to help out. Thank you very much.

Powered by easy paypal donation
Survey
Which is better?
 
Search

Tag Cloud
access  apache  click  create  database  different  directory  domain  download  file  files  folder  following  http  install  installing  just  know  like  linux  make  mysql  need  open  password  phpmyadmin  port  server  software  sure  tutorial  user  using  video  want  website  windows  wordpress  work  xampp
By Zaragoza Clouds
User Login



Visitors


Countries

31.2%United States United States
8.4%United Kingdom United Kingdom
7.4%India India
4.4%Australia Australia
4.2%Canada Canada

Visitors

Today: 40
Yesterday: 152
This Week: 827
Last Week: 1121
This Month: 4731
Last Month: 4987
Total: 49962


JoomlaWatch Stats 1.2.9 by Matej Koval

Copyright © 2009 ---.
All Rights Reserved.

Designed by AMereServant.