The biggest threat is that an attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file()to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

最大的威胁是攻击者可以利用以下漏洞：目录遍历，或使用 SQL 注入调用load_file()读取配置文件中的纯文本用户名/密码，然后使用 phpmyadmin 或通过 tcp 端口 3306 登录。作为渗透测试者，我使用这种攻击模式来破坏系统。

Here is a great way to lock down phpmyadmin:

这是锁定 phpmyadmin 的好方法：

• DO NOT ALLOW REMOTE ROOT LOGINS!Instead phpmyadmin can be configured to use "Cookie Auth"to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but doesn't have grantor file_priv.
• Remove file_privpermissions from every account. file_privis one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
• Whitelist IP address who have access to the phpmyadmin interface. Here is an example .htaccess reulset:

• 不允许远程 root 登录！相反，可以将 phpmyadmin 配置为使用“Cookie身份验证”来限制哪些用户可以访问系统。如果您需要一些 root 权限，请创建一个可以添加/删除/创建但没有grant或的自定义帐户file_priv。
• 删除file_priv每个帐户的权限。file_priv是 MySQL 中最危险的权限之一，因为它允许攻击者读取文件或上传后门。
• 将有权访问 phpmyadmin 界面的 IP 地址列入白名单。这是一个示例 .htaccess reulset：

Order deny,allow
Deny from all
allow from 199.166.210.1

Order deny,allow
Deny from all
allow from 199.166.210.1

• Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.

• Firewall off tcp port 3306 so that it cannot be accessed by an attacker.

• Use HTTPS, otherwise data and passwords can be leaked to an attacker. If you don't want to fork out the $30 for a cert, then use a self-signed. You'll accept it once, and even if it was changed due to a MITM you'll be notified.

• 没有可预测的文件位置，例如：http://127.0.0.1/phpmyadmin. Nessus/Nikto/Acunetix/w3af 等漏洞扫描程序将对此进行扫描。

• 防火墙关闭 tcp 端口 3306，以便攻击者无法访问它。

• 使用 HTTPS，否则数据和密码可能会泄露给攻击者。如果您不想为证书支付 30 美元，请使用自签名证书。您将接受一次，即使它因 MITM 而更改，您也会收到通知。

One of my concerns with phpMyAdmin was that by default, all MySQL users can access the db. If DB's root password is compromised, someone can wreck havoc on the db. I wanted to find a way to avoid that by restricting which MySQL user can login to phpMyAdmin.

我对 phpMyAdmin 的担忧之一是，默认情况下，所有 MySQL 用户都可以访问数据库。如果数据库的 root 密码被泄露，有人可能会对数据库造成严重破坏。我想通过限制哪个 MySQL 用户可以登录到 phpMyAdmin 来找到一种方法来避免这种情况。

I have found using AllowDeny configuration in PhpMyAdmin to be very useful. http://wiki.phpmyadmin.net/pma/Config#AllowDeny_.28rules.29

我发现在 PhpMyAdmin 中使用 AllowDeny 配置非常有用。 http://wiki.phpmyadmin.net/pma/Config#AllowDeny_.28rules.29

AllowDeny lets you configure access to phpMyAdmin in a similar way to Apache. If you set the 'order' to explicit, it will only grant access to users defined in 'rules' section. In the rules, section you restrict MySql users who can access use the phpMyAdmin.

AllowDeny 允许您以与 Apache 类似的方式配置对 phpMyAdmin 的访问。如果您将 'order' 设置为显式，它只会授予在 'rules' 部分中定义的用户的访问权限。在规则部分，您限制可以访问使用 phpMyAdmin 的 MySql 用户。

$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit'
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('pma-user from all')

Now you have limited access to the user named pma-user in MySQL, you can grant limited privilege to that user.

现在您对 MySQL 中名为 pma-user 的用户具有有限的访问权限，您可以向该用户授予有限的权限。

grant select on db_name.some_table to 'pma-user'@'app-server'

In newer versions of phpMyAdmin access permissions for user-names + ip-addresses can be set up inside the phpMyAdmin's config.inc.php file. This is a much better and more robust method of restricting access (over hard-coding URLs and IP addresses into Apache's httpd.conf).

在较新版本的 phpMyAdmin 中，用户名 + ip 地址的访问权限可以在 phpMyAdmin 的 config.inc.php 文件中设置。这是一种更好、更强大的限制访问方法（通过将 URL 和 IP 地址硬编码到 Apache 的 httpd.conf）。

Here is a full example of how to switch to white-listing all users (no one outside this list will be allowed access), and also how to restrict user root to the local system and network only.

这是一个完整的示例，说明如何将所有用户切换到白名单（不允许此列表之外的任何人访问），以及如何将 root 用户限制为仅限本地系统和网络。

$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
    'deny % from all', // deny everyone by default, then -

    'allow % from 127.0.0.1', // allow all local users
    'allow % from ::1',

    //'allow % from SERVER_ADDRESS', // allow all from server IP

    // allow user:root access from these locations (local network)
    'allow root from localhost',
    'allow root from 127.0.0.1',
    'allow root from 10.0.0.0/8',
    'allow root from 172.16.0.0/12',
    'allow root from 192.168.0.0/16',

    'allow root from ::1',

    // add more usernames and their IP (or IP ranges) here -    
    );

Source: How to Install and Secure phpMyAdmin on localhost for Windows

来源：如何在 Windows 本地主机上安装和保护 phpMyAdmin

This gives you much more fine-grained access restrictions than Apache's URL permissions or an .htaccess file can provide, at the MySQL user name level.

在 MySQL 用户名级别，这为您提供了比 Apache 的 URL 权限或 .htaccess 文件所能提供的更细粒度的访问限制。

Make sure that the user you are login in with, has its MySQL Host:field set to 127.0.0.1or ::1, as phpMyAdmin and MySQL are on the same system.

确保您登录的用户将其 MySQLHost:字段设置为127.0.0.1或::1，因为 phpMyAdmin 和 MySQL 在同一系统上。

Most likely, somewhere on your webserver will be an Alias directive like this;

最有可能的是，您的网络服务器上的某个地方将是这样的 Alias 指令；

Alias /phpmyadmin "c:/wamp/apps/phpmyadmin3.1.3.1/"

In my wampserver / localhost setup, it was in c:/wamp/alias/phpmyadmin.conf.

在我的 wampserver / localhost 设置中，它位于 c:/wamp/alias/phpmyadmin.conf 中。

Just change the alias directive and you should be good to go.

只需更改别名指令，您就可以开始使用了。

Another solution is to use the config file without any settings. The first time you might have to include your mysql root login/password so it can install all its stuff but then remove it.

另一种解决方案是使用没有任何设置的配置文件。第一次您可能必须包含您的 mysql root 登录名/密码，以便它可以安装所有内容，然后将其删除。

$cfg['Servers'][$i]['auth_type'] = 'cookie';

$cfg['Servers'][$i]['host'] = 'localhost';

$cfg['Servers'][$i]['connect_type'] = 'tcp';

$cfg['Servers'][$i]['compress'] = false;

$cfg['Servers'][$i]['extension'] = 'mysql';

$cfg['Servers'][$i]['auth_type'] = 'cookie';

$cfg['Servers'][$i]['host'] = 'localhost';

$cfg['Servers'][$i]['connect_type'] = 'tcp';

$cfg['Servers'][$i]['compress'] = false;

$cfg['Servers'][$i]['extension'] = 'mysql';

Leaving it like that without any apache/lighhtpd aliases will just present to you a log in screen.

离开它没有任何 apache/lighthtpd 别名只会向您显示一个登录屏幕。

You can log in with root but it is advised to create other users and only allow root for local access. Also remember to use string passwords, even if short but with a capital, and number of special character. for example !34sy2rmbr!aka "easy 2 remember"

可以用root登录，但建议创建其他用户，只允许root进行本地访问。还要记住使用字符串密码，即使很短但带有大写和特殊字符的数量。例如!34sy2rmbr!又名“容易 2 记住”

-EDIT: A good password now a days is actually something like words that make no grammatical sense but you can remember because they funny. Or use keepass to generate strong randoms an have easy access to them

- 编辑：现在一个好的密码实际上是一些没有语法意义的单词，但你可以记住，因为它们很有趣。或者使用 keepass 生成强随机数并轻松访问它们

If you are running a linux server:

如果您正在运行 Linux 服务器：

• Using SSH you can forbid the user/password loging and only accept a public key in the authorized_keys file
• Use putty to connect to your server and open a remote terminal
• Forward X11 and brings localhost firefox/iceweasel to your desktop (in windows you need Xming software installed)
• Now you secured your phpMyAdmin throught ssh

• 使用 SSH，您可以禁止用户/密码登录，并且只接受 Authorized_keys 文件中的公钥
• 使用 putty 连接到您的服务器并打开远程终端
• 转发 X11 并将 localhost firefox/iceweasel 带到您的桌面（在 Windows 中您需要安装 Xming 软件）
• 现在您通过 ssh 保护了您的 phpMyAdmin

This system is quite secure/handy for homeservers -usually with all ports blocked by default-. You only have to forward the SSH port (don't use number 22).

该系统对于家庭服务器来说非常安全/方便 - 通常默认情况下阻止所有端口 -。您只需要转发 SSH 端口（不要使用数字 22）。

If you like Microsoft Terminal Server you can even set a SSH Tunneling to your computer and connect securely to your web server throught it.

如果您喜欢 Microsoft 终端服务器，您甚至可以为您的计算机设置 SSH 隧道并通过它安全地连接到您的 Web 服务器。

With ssh tunnelingyou even can forward the 3306 port of your remote server to a local port and connect using local phpMyAdmin or MySQL Workbench.

使用ssh 隧道，您甚至可以将远程服务器的 3306 端口转发到本地端口并使用本地 phpMyAdmin 或 MySQL Workbench 进行连接。

I understand that this option is an overkill, but is as secure as the access of your private key.

我知道这个选项有点矫枉过正，但与访问您的私钥一样安全。

The best way to secure phpMyAdmin is the combination of all these 4:

保护 phpMyAdmin 的最佳方法是结合所有这 4 种方法：

1. Change phpMyAdmin URL
2. Restrict access to localhost only.
3. Connect through SSH and tunnel connection to a local port on your computer
4. Setup SSL to already encrypted SSH connection. (x2 security)

Here is how to do these all with: Ubuntu 16.4 + Apache 2 Setup Windows computer + PuTTY to connect and tunnel the SSH connection to a local port:

以下是如何完成所有这些操作： Ubuntu 16.4 + Apache 2 设置 Windows 计算机 + PuTTY 以连接 SSH 连接并将其隧道连接到本地端口：

# Secure Web Serving of phpMyAdmin (change URL of phpMyAdmin):

    sudo nano /etc/apache2/conf-available/phpmyadmin.conf
            /etc/phpmyadmin/apache.conf
        Change: phpmyadmin URL by this line:
            Alias /newphpmyadminname /usr/share/phpmyadmin
        Add: AllowOverride All
            <Directory /usr/share/phpmyadmin>
                Options FollowSymLinks
                DirectoryIndex index.php
                AllowOverride Limit
                ...
        sudo systemctl restart apache2
        sudo nano /usr/share/phpmyadmin/.htaccess
            deny from all
            allow from 127.0.0.1

        alias phpmyadmin="sudo nano /usr/share/phpmyadmin/.htaccess"
        alias myip="echo ${SSH_CONNECTION%% *}"

# Secure Web Access to phpMyAdmin:

        Make sure pma.yourdomain.com is added to Let's Encrypt SSL configuration:
            https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

        PuTTY => Source Port (local): <local_free_port> - Destination: 127.0.0.1:443 (OR localhost:443) - Local, Auto - Add

        C:\Windows\System32\drivers\etc
            Notepad - Run As Administrator - open: hosts
                127.0.0.1 pma.yourdomain.com

        https://pma.yourdomain.com:<local_free_port>/newphpmyadminname/ (HTTPS OK, SSL VPN OK)
        https://localhost:<local_free_port>/newphpmyadminname/ (HTTPS ERROR, SSL VPN OK)

        # Check to make sure you are on SSH Tunnel
            1. Windows - CMD:
                ping pma.yourdomain.com
                ping www.yourdomain.com

                # See PuTTY ports:
                netstat -ano |find /i "listening"

            2. Test live:
                https://pma.yourdomain.com:<local_free_port>/newphpmyadminname/

If you are able to do these all successfully,

如果你能够成功地完成这些，

you now have your own url path for phpmyadmin,
you denied all access to phpmyadmin except localhost,
you connected to your server with SSH,
you tunneled that connection to a port locally,
you connected to phpmyadmin as if you are on your server,
you have additional SSL conenction (HTTPS) to phpmyadmin in case something leaks or breaks.

The simplest approach would be to edit the webserver, most likely an Apache2 installation, configuration and give phpmyadmin a different name.

最简单的方法是编辑网络服务器，最有可能是 Apache2 安装、配置并给 phpmyadmin 一个不同的名称。

A second approach would be to limit the IP addresses from where phpmyadmin may be accessed (e.g. only local lan or localhost).

第二种方法是限制可以访问 phpmyadmin 的 IP 地址（例如，仅本地 LAN 或 localhost）。

You can use the following command :

您可以使用以下命令：

$ grep "phpmyadmin" $path_to_access.log | grep -Po "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | sort | uniq | xargs -I% sudo iptables -A INPUT -s % -j DROP 

Explanation:

解释：

Make sure your IP isn't listed before piping through iptables drop!!

在通过 iptables drop 管道之前，请确保您的 IP 未列出！！

This will first find all lines in $path_to_access.log that have phpmyadmin in them,

这将首先找到 $path_to_access.log 中包含 phpmyadmin 的所有行，

then grep out the ip address from the start of the line,

然后从行首grep出IP地址，

then sort and unique them,

然后对它们进行排序和唯一化，

then add a rule to drop them in iptables

然后添加一条规则将它们放入 iptables

Again, just edit in echo %at the end instead of the iptables command to make sure your IP isn't in there. Don't inadvertently ban your access to the server!

同样，只需在echo %最后编辑而不是 iptables 命令，以确保您的 IP 不在那里。不要无意中禁止您访问服务器！

Limitations

限制

You may need to change the grep part of the command if you're on mac or any system that doesn't have grep -P. I'm not sure if all systems start with xargs, so that might need to be installed too. It's super useful anyway if you do a lot of bash.

如果您使用的是 mac 或任何没有 grep -P 的系统，您可能需要更改命令的 grep 部分。我不确定是否所有系统都以 xargs 开头，因此可能也需要安装它。如果您进行大量 bash，它无论如何都非常有用。