We work with various servers at work, and one of the areas that gets targeted the most by bots and stuff, seems to be the phpmyadmin login page.
Now, you could obfuscate the folder name to throw them off the scent… but that probably means renaming loads of things other than the core foldername & time is money!
The best way (before this blog post) of doing it has always been to secure it with htpasswd but the amount of times i’ve done this quickly and set the password to something obvious, and then forgotten the password. Then unpicking the password configuration to get in, to then have to reapply it… Screw that!
So whilst I was once again sat staring at the good ol’ “how to secure phpmyadmin with htaccess” guide early this morning, I thought to myself “there must be a better way of doing this!” and I pondered… and pondered… then it hit me!
We use Cloudflare for DNS management on all our websites, it’s by far the best tool for the job and despite them taking most of the internet down (twice) the other month, its an awesome toolkit for keeping the baddies out and the websites online.
Anyway, in the cloudflare dashboard there is a firewall section, in that section you can set rules under “Firewall Rules” and a quick 5 minute rule later and my phpmyadmin screen is secured with a captcha screen and cloudflare is beating up the baddies that try and come and hack my gibsons.
Here is the rule;
And here is my bitchin challenge screen;
It’s worth noting that when I originally added the above rule I used “contains” in the rule Operator field, and then the screenshots I added above had ‘phpmyadmin’ in the filenames, so the cloudflare rule kicked in blocking the images from loading!
Be careful when setting the rule and ensure it matches my example above.
It logs how many times it kicks in too, and already since adding it its been hit 50 times!
Secure your phpmyadmin on ubuntu, cloudlinux, redhat, CentOS, debian, fedora, coreos, freebsd, windows hosting, and anything else with this 5 second rule.
Oh, it works in cloudflare free accounts too – so even if you dont use cloudflare you can set it up at no cost and have the rule protecting your phpmyadmin from the hackers, bots and baddies of the internet world in no time!