10 Proven Methods to Secure phpMyAdmin Against Brute Force Attacks


4 views

Recent Apache logs reveal an alarming number of automated bots attempting to exploit default phpMyAdmin installations. Even when restricted to local networks, these attempts can create unnecessary noise and potential vulnerabilities. Here's a comprehensive guide to hardening your phpMyAdmin setup.

The first line of defense is changing the predictable /phpmyadmin path. After moving or renaming the directory, update your Apache configuration:


Alias /newsecretpath /usr/share/phpmyadmin

    Require ip 192.168.1.0/24

Restrict access to specific IP ranges in your Apache configuration or .htaccess:


Order Deny,Allow
Deny from all
Allow from 192.168.1.100
Allow from 192.168.1.101

phpMyAdmin supports 2FA through the phpMyAdmin configuration file (config.inc.php):


$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['twofactor'] = 'FIDO2';

Create a custom Fail2Ban filter for phpMyAdmin attempts:


[Definition]
failregex = ^ -.*POST.*/phpmyadmin.*200
ignoreregex =

Add these headers to your Apache configuration:


Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"

Add rate limiting via mod_ratelimit:



    SetOutputFilter RATE_LIMIT
    SetEnv rate-limit 100

Consider HTTP authentication as an additional layer:


AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Create limited-privilege users in MySQL and restrict root access:


CREATE USER 'admin_user'@'localhost' IDENTIFIED BY 'complex_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO 'admin_user'@'localhost';

Add these security headers to your virtual host configuration:


Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Content-Security-Policy "default-src 'self'"

Keep phpMyAdmin updated and monitor logs for suspicious activity:


# Check for failed login attempts
grep "denied" /var/log/apache2/error.log | grep phpmyadmin

After analyzing Apache logs, I discovered numerous automated attacks targeting common phpMyAdmin vulnerabilities. These bots primarily attempt:

  • Brute force login attempts
  • Known exploit probing (CVE-2018-19968, CVE-2019-12922)
  • Directory traversal attempts

1. Renaming the Directory (Basic Obscurity)

While not true security, changing the default path helps:

mv /usr/share/phpmyadmin /usr/share/dbadmin-xyz123

2. IP Restriction via .htaccess

For local network-only access:

Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
Allow from 127.0.0.1

3. Force HTTPS Connection

$cfg['ForceSSL'] = true;

4. Two-Factor Authentication

Install the phpMyAdmin Google Authenticator plugin:

composer require pragmarx/google2fa-phpmyadmin

5. Rate Limiting with fail2ban

Create a custom filter in /etc/fail2ban/filter.d/phpmyadmin.conf:

[Definition]
failregex = ^ -.*"(GET|POST).*/phpmyadmin.* 403
ignoreregex =

6. Web Application Firewall Rules

For ModSecurity users, add these rules:

SecRule REQUEST_URI "@contains phpmyadmin" "id:1001,phase:1,t:none,deny,status:403"

7. SSH Tunneling for Remote Access

ssh -L 3306:localhost:3306 user@yourserver.com -N

8. Adminer as Lightweight Alternative

Consider replacing phpMyAdmin with Adminer for reduced attack surface.

Remember to implement these changes incrementally and test functionality after each modification. Regular security audits and monitoring unauthorized access attempts are equally important.