phpMyAdmin is one of the most popular free management consoles to administer the MySQL database. Unfortunately, as is obvious when looking through the Cognitive Security Reports we generate, it’s also one of the most popular targets for hackers.
Every day, we find massive numbers of attempts to compromise phpMyAdmin via a variety of methods. One of the reasons for the particularly high volume of scans & attacks is the availability of automated tools and web scanners which target phpMyAdmin. It’s easy for a relatively untrained hacker to download a popular web scanner, such as ZmEu (more about this later) and, with a single click, scan a large number of sites for phpMyAdmin (or pma) vulnerabilities.
In fact, amongst the millions of events we’re tracking, we’ve seen phpMyAdmin jump to #2 on the list of web scans/attacks, by volume.
Many web hosts use phpMyAdmin by default, so you may be a user without even knowing about it, or ever installing the software yourself. If you do need to install and use phpMyAdmin, here are some suggestions to make it more secure:
Always make sure you have the latest version installed! Here is how you can upgrade your software: http://wiki.phpmyadmin.net/pma/Upgrading
Do not install phpMyAdmin at a predictable location, such as /pma or /php-my-admin or /phpmyadmin. Many scanning tools look for these default/oft-used locations
Brute forcing passwords is always a risk so it’s always good to keep two things in mind: First, don’t allow remote root logins, and second, make sure you use strong passwords. This is one of those “obvious” suggestions that is super-important, but often ignored.
Make sure your .htaccess file within the phpMyAdmin folder is properly configured. In particular, you should create an .htpasswd file which lists users authorized to access phpMyAdmin, and then include the “Require valid-user” directive in the .htaccess file. The two relevant lines that need to go into .htaccess are:
Be aware of who is targeting your system and based on this information, implement updated access control and source blocking based on the latest data. Our freely available Cognitive Security Reports can help you here and we’re always happy to assist with specifics. Just write us!
To learn more about cognitive security, check out our webinar.