Securing phpMyAdmin in a WordPress Jail

This post assumes you’ve run at least version 1.3.0 of the Scripted WordPress Installation.

In the post WordPress Script: Post-Installation Tasks, I suggest that a way of securing phpMyAdmin in a WordPress jail is to disable it when not in use.

One way to disable phpMyAdmin is to unlink it in the jail rm /usr/local/www/wordpress/phpmyadmin. This will disable access to phpMyAdmin via the well-known subdirectory path e.g. https://blog.mydomain.com/phpmyadmin. To reenable phpMyAdmin, link the subdirectory path again ln -s /usr/local/www/phpMyAdmin /usr/local/www/wordpress/phpmyadmin. Disable it again when finished.

While this is a very effective way to secure phpMyAdmin, it does require access to the FreeNAS jail. This may not be practical if the FreeNAS administrator and WordPress administrator are not the same person. Other ways to secure phpMyAdmin are described in Securing your phpMyAdmin installation. The one that caught my attention was the use of an authentication proxy.

Setting up an authentication proxy is very easy to do if you’re using Caddy as your reverse proxy. As an example, consider the Caddyfile code block below:

blog.udance.com.au {
  encode gzip
  basicauth /phpmyadmin {
    admin <hashed-password>
  }
  reverse_pproxy http://10.1.1.4
}

When someone attempts to access the phpmyadmin subdirectory from a browser, they are presented with the following dialogue box.

They would have to supply the administrator’s username (admin) and password (unhashed) to get past the authentication proxy to access the phpMyAdmin login screen.

Use caddy hash-password to generate the hashed password that is used in the Caddyfile code block.

What’s really convenient about this approach is that there isn’t a requirement for the WordPress administrator to have access to the FreeNAS jail.

Keep Reading

PreviousNext

Comments

Leave a Reply