As there security vulnerability in older version of phpmyadmin which allows remote user to exploit root in virtual private network. Thus in order to prevent this kind of attack, locking entire directory with Apache’s username and password would be configured. Thus benefit from this is that remote user cannot exploit even older version of phpmyadmin.
Below are the steps that would provide step by step procedure to make phpmyadmin secure.
Step 1:- Starting with allowing .htaccess file to work with phpmyadmin directory. (.htaccess file is a configuration file that is supported by various web servers that provides decentralized web server management).
In order to accomplish this type command sudo gedit /etc/phpmyadmin/apache.conf.
Step 2:- Under “Directory Index” add line “AllowOverride All”. Save and exit.
Step 3:- Configuring .htaccess file which would user to login even to access phpmyadmin login page. Starting by creating .htaccess page in phpmyadmin directory. Type command sudo gedit /usr/share/phpmyadmin/.htaccess.
Step 4:- Type the following statement in the file
AuthName “Restricted Users”
AuthuserFile /pathtopasswordfile/ .htpasswd
Below is the meaning of each command
- AuthType: This refers to the type of authentication that will be used to check passwords.
- AuthName: This is the text that would be displayed when password has been prompt.
- AuthuserFile: This will define server path to the password file.
- Require valid-user: This would let .htaccess file know that only users in password file can access phpMyAdmin login screen
Step 5:- Now creating valid user information. Starts by creating .htpasswd file. This path provided should not be accessible from browser. Type command sudo htpasswd –c /pathtopassword/ .htpasswd username. (Please provide valid path and do remember that path)
Prompt would ask for password.
Step 6:- Once username and password pair is saved in encrypted file. Restart the server by typing command sudo service apache2 restart. Open browser and type localhost/phpmyadmin or 127.0.0.1/phpmyadmin. Provide username and password that was entered while configuring. (Recommended to use username and password that is used for logging into Linux).