Section 18: phpMyAdmin Setup & Security Configuration

🎯 Introduction

This guide provides a professional approach to installing and securing phpMyAdmin on an Nginx web server. phpMyAdmin is a powerful web-based database management tool for MySQL/MariaDB databases. Proper security configuration is critical to prevent unauthorized access and potential security breaches.

📌 Key Objectives:

Secure phpMyAdmin installation with randomized access paths
Implement HTTP authentication and IP-based access control
Configure log rotation for system maintenance
Optimize Nginx security settings

🔐 Security Architecture Overview

Client Request
User attempts access

→

IP Filtering
Whitelist verification

→

HTTP Auth
Username/Password

→

phpMyAdmin
Database access

🔑 Step 1: Generate Secure Credentials

1.1 Generate Random Passwords

First, we'll generate secure random passwords using the system's random number generator. This command creates three 12-character alphanumeric passwords.

cat /dev/urandom | tr -dc 'a-za-z0-9' | fold -w 12 | head -n 3

Command Breakdown:

cat /dev/urandom - Reads from the random number generator
tr -dc 'a-za-z0-9' - Filters only alphanumeric characters
fold -w 12 - Splits output into 12-character lines
head -n 3 - Outputs the first 3 lines

💾 Step 2: Create Database Administrator User

2.1 Access MySQL Console

sudo mysql

2.2 Create Database Admin User

Create a new MySQL user with full administrative privileges. Replace 'Cb7VogmHUwn6' with one of your generated passwords from Step 1.

GRANT ALL ON *.* TO 'dbadmin'@'localhost' IDENTIFIED BY 'Cb7VogmHUwn6' WITH GRANT
                OPTION;
                flush privileges;

⚠️ Security Note: This user has full privileges on all databases. Use this account only for administrative tasks and keep the credentials secure.

⚙️ Step 3: Configure Nginx

3.1 Test and Reload Nginx

sudo nginx -t

sudo systemctl reload nginx

3.2 Navigate to Nginx Includes Directory

cd /etc/nginx/includes

🔐 Step 4: Set Up HTTP Authentication

4.1 Generate Encrypted Password

Use OpenSSL to create a hashed password for HTTP authentication:

openssl passwd

Password: w9sv5hu98q0i
                Verifying - Password:
                $1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0

4.2 Create Password File

sudo nano pma_userpass

Add the following line (username:hashed_password):

andrew:$1$lSmswTO8$tv.unS.4n68fH.yrV0WHR0

📥 Step 5: Install phpMyAdmin

5.1 Update Package Lists

sudo apt update

5.2 Install phpMyAdmin

sudo apt install phpmyadmin

5.3 Create Symbolic Link with Random Path

For security, we use a randomized directory name (V2th1pchBI71) instead of the default /phpmyadmin path. This makes it harder for attackers to find your phpMyAdmin installation.

sudo ln -s /usr/share/phpmyadmin /var/www/html/V2th1pchBI71

✅ Security Best Practice: Using a non-standard, random path name is an effective security-through-obscurity measure that significantly reduces automated attack attempts.

🛡️ Step 6: Configure phpMyAdmin Access Rules

6.1 Create phpMyAdmin Configuration File

sudo nano /etc/nginx/includes/pma.conf

6.2 Add Security Configuration

location ^~ /V2th1pchBI71 {
                # CONDITIONS
                satisfy all;

                # HTTP AUTHENTICATION
                auth_basic "Sign In";
                auth_basic_user_file /etc/nginx/includes/pma_username_password;

                # IP BASED ACCESS
                # if your IP changes, ssh to your server and use the last command
                # last -n3 (still logged in) is your IP address you need to add to allow
                allow your_IP_ADDRESS;
                deny all;

                try_files $uri $uri/ =404;

                location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php8.3-fpm.sock;
                include /etc/nginx/includes/fastcgi_optimize.conf;
                }
                }

⚠️ Important: Replace your_IP_ADDRESS with your actual IP address. To find your current IP, use: last -n3

Configuration Breakdown

Directive	Purpose
`satisfy all`	Requires both HTTP authentication AND IP whitelist approval
`auth_basic`	Enables HTTP Basic Authentication with custom prompt
`auth_basic_user_file`	Specifies the password file location
`allow/deny`	IP-based access control (whitelist approach)
`fastcgi_pass`	Routes PHP requests to PHP-FPM socket

🔗 Step 7: Include phpMyAdmin Configuration

7.1 Navigate to Sites Directory

cd /etc/nginx/sites-available/

7.2 Edit Default Server Block

sudo nano default

7.3 Add Include Statement

Add this line inside the server block:

include /etc/nginx/includes/pma.conf;

7.4 Test and Apply Configuration

sudo nginx -t

sudo systemctl reload nginx

7.5 Access phpMyAdmin

✅ Access URL:
http://server_ip/V2th1pchBI71/

📝 Step 8: Configure Log Rotation

Log rotation is essential for preventing log files from consuming excessive disk space. We'll configure the system to rotate logs daily and keep 7 days of historical data.

8.1 Edit Main Logrotate Configuration

cd /etc/

sudo nano logrotate.conf

8.2 Apply Configuration Changes

Original Setting	New Setting	Purpose
`weekly`	`daily`	Rotate logs every day instead of weekly
`rotate 4`	`rotate 7`	Keep 7 days of backlog instead of 4 weeks
`#compress`	`compress`	Enable compression for old log files

# rotate log files daily
                daily

                # keep 7 days worth of backlogs
                rotate 7

                # create new (empty) log files after rotating old ones
                create

                # compress old log files
                compress

🔄 Step 9: Configure Specific Service Log Rotation

9.1 Navigate to Service-Specific Configs

cd /etc/logrotate.d/

9.2 Update Individual Service Configurations

For each of the following files, change weekly to daily and rotate value to 3:

sudo nano fail2ban

sudo nano nginx

sudo nano rsyslog

sudo nano ufw

📋 Services Configured:

fail2ban - Intrusion prevention logs
nginx - Web server access and error logs
rsyslog - System logging service
ufw - Uncomplicated Firewall logs

9.3 Verify Configuration

sudo logrotate -d /etc/logrotate.conf

The -d flag runs logrotate in debug mode without actually rotating files, allowing you to verify the configuration.

🧹 Step 10: Secure the Default Nginx Server Block

The default server block handles requests that don't match any configured server names. We'll secure it to prevent direct IP access and information disclosure.

10.1 Cleanup Requirements

Remove all comments for cleaner configuration
Remove PHP location context (handled by includes)
Add return 444; to deny direct IP access

10.2 Optimized Configuration

server {
                listen 80 default_server;

                root /var/www/html;

                index index.php;

                server_name _;

                location / {
                try_files $uri $uri/ =404;
                return 444;
                }

                }

🔍 What is return 444?
This is a special Nginx status code that closes the connection without sending a response. It's more secure than returning a standard error page because it provides no information to potential attackers scanning your IP address.

🛡️ Content Security Policy (CSP) Considerations

A Content Security Policy (CSP) is a security measure implemented on web servers to mitigate certain types of cyber attacks, primarily cross-site scripting (XSS) and code injection attacks. A CSP dictates which resources a web browser is allowed to load from specific domains, restricting the execution of untrusted code and thereby enhancing site security.

Why CSP is Not Included for WordPress

⚠️ Important Decision: This course does not cover CSP implementation for WordPress sites due to significant compatibility challenges.

WordPress CSP Challenges

Unsafe Inline Requirement
WordPress requires the unsafe-inline directive, which allows attackers to inject malicious JavaScript code directly into your site, undermining CSP security benefits.

Unsafe Eval Requirement
The unsafe-eval directive allows dynamic code evaluation, which can be abused to execute arbitrary code injected by attackers.

Complexity and Maintenance
Creating a well-configured CSP for WordPress requires constant attention to ensure valid sources aren't blocked. The policy needs almost continuous updates as plugins and themes change.

Risk vs. Benefit Analysis
Enabling directives like unsafe-inline and unsafe-eval undermines the security benefits of CSP. The effort required doesn't justify the limited security improvement.

✅ Alternative Security Measures

Instead of CSP, focus on these proven security strategies that provide better protection for WordPress sites with less complexity:

Implemented Security Measures

Regular Updates
Keep WordPress core, themes, and plugins up to date to patch known vulnerabilities.

Strong Authentication
Enforce strong password policies and enable two-factor authentication (2FA) for all users.

Brute Force Protection
Secure login pages from brute force attacks using fail2ban or similar tools.

Web Application Firewall
Use a security plugin or WAF plugin (like NinjaFirewall covered in this course).

Secure Hosting Environment
Ensure your hosting environment is secure with correct ownership and file permissions.

Regular Backups
Back up your site daily to ensure quick recovery from any security incident.

HTTPS Enforcement
Ensure all content is served over HTTPS only to protect data in transit.

Disable File Editor
Disable the built-in WordPress file editor to prevent code injection through the admin panel.

REST API Restrictions
Restrict access to the WordPress REST API to prevent information disclosure and attacks.

User Permission Limits
Implement a policy of limiting user permissions following the principle of least privilege.

🔒 Layered Security Approach

Security is a layered approach. Implementing multiple security strategies creates defense-in-depth that significantly strengthens your WordPress site's defenses.

Layer 1: Perimeter
Firewall, IP Filtering, Rate Limiting

→

Layer 2: Authentication
Strong Passwords, 2FA, HTTP Auth

→

Layer 3: Application
Updates, WAF, Secure Configuration

→

Layer 4: Data
HTTPS, Backups, Encryption

📋 Configuration Summary

Component	Configuration	Security Benefit
phpMyAdmin Path	Randomized (V2th1pchBI71)	Security through obscurity
HTTP Authentication	Enabled with encrypted passwords	First line of defense
IP Whitelisting	Specific IP addresses only	Network-level access control
Log Rotation	Daily, 3-7 day retention	Disk space management, audit trail
Default Server Block	Return 444 for unmatched requests	Information disclosure prevention

💡 Security Best Practices

Key Takeaways

Use randomized paths for admin interfaces to avoid automated attacks
Implement multiple authentication layers (IP + password) for sensitive resources
Regularly rotate and monitor logs to detect suspicious activity early
Update your IP whitelist whenever your network changes
Use strong, randomly generated passwords for all accounts
Test configuration changes before applying them to production
Maintain regular backups before making system changes
Monitor access logs for unauthorized access attempts

🔧 Troubleshooting

Common Issues and Solutions

Problem: Cannot access phpMyAdmin after configuration

Solutions:

Verify your IP address is correctly whitelisted in pma.conf
Check that password file permissions are correct (644)
Test Nginx configuration: sudo nginx -t
Review Nginx error logs: sudo tail -f /var/log/nginx/error.log

Problem: HTTP authentication not working

Solutions:

Verify password file path in nginx configuration
Regenerate password hash using openssl passwd
Check file permissions on password file
Ensure password file format is correct (username:hash)

Problem: Log rotation not working

Solutions:

Verify configuration syntax: sudo logrotate -d /etc/logrotate.conf
Check file permissions on log directories
Review logrotate status: sudo cat /var/lib/logrotate/status
Manually test rotation: sudo logrotate -f /etc/logrotate.conf