How to secure phpmyadmin on Wordpress Droplet?

July 3, 2019 496 views
Ubuntu PHP Security DigitalOcean WordPress Ubuntu 18.04

I followed the tutorial linked below to install phpmyadmin on my test wordpress droplet. However now when you go to the IP address for the droplet /phpmyadmin you can access the login screen for phpmyadmin (shown below). Is there a way to hide this in a sense? I don’t want anyone to be able to go to the IP address for the droplet /phpmyadmin and be able to access it. I followed the instructions in the tutorial on how to secure it so it requires extra login credentials but I still want to hide it in a sense from the public. How can I do this?

PHPmyadmin link: http://67.205.188.51/phpmyadmin/

Tutorial: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-on-ubuntu-18-04

2 Answers

Hi,

Good job getting as far as you have. I checked out the tutorial you linked and the very last step it illustrates is for something known generally as “http authentication.” This is the username/password login box that pops up in the browser:

https://assets.digitalocean.com/articles/phpmyadmin_1404/apache_auth.png
Example graphic from tutorial

Were you able to follow all of the steps in the tutorial, including Step 3?

Step 3 — Securing Your phpMyAdmin Instance

This will provide a password prompt before the phpmyadmin page loads, effectively “hiding” it from the public.

If you did follow all the steps, sometimes your browser can cache or save the HTTP AUTH information you entered in previously - try accessing your phpmyadmin from a private or incognito browser window to test if you get a fresh login popup.

Hope this helps and good luck! Let us know how it goes.

by Mark Drake
phpMyAdmin is an application that allows users to interact with MySQL databases through a web interface. This tutorial covers the process of installing and securing phpMyAdmin on an Ubuntu 18.04 server.
  • Hi,

    Thanks so much for the response!

    I did follow through to step 3, and when you go to that part of the site it does pull up the extra http authentication login box. I just wasn’t sure if that was enough. I just know some other sites that run this feature and theres aren’t just domain.com/phpmyadmin, so I wasn’t sure if there was anything else I could do to “hide” it from the public.

    But, if adding the “http authentication” is enough to secure that part, then that is good enough for me.

    If you have anymore info that’d be great, otherwise thanks so much again!

There’s never enough security :) The tutorial walks you through the bare minimum as not doing that minimum will almost definitely lead to some kind of exploit being used against you.

I did have at least one more suggestion and that would be to change the URL from /phpmyadmin to /somethinglessobvious, that way itd be even less likely anyone would ever see that you had a protected page up and wonder about it.

Cheers and good luck!

Have another answer? Share your knowledge.