If you must use phpMyAdmin, know the risks.
You are potentially exposing your WordPress and other databases – all of them – to the world and her hacker and, with a username of ‘root', all that stands between your data and the black market is a brute force attack.
Here are some must-do provisos for pinning down this otherwise top-notch database manager (the principles being very much the same for other administrative control panels. Take the hint!):
- Run it under SSL without exception
- Use a r0cS$0liDpa$Sw0rD
- Add an extra layer of authentication with, for example, mod_digest ..
- … with a username that is not ‘root' and a second password
- Whether sub-domain or sub-directory, don't call it phpmyadmin.myblog.com
- … then again, don't use a sub-directory, some unloved folder, somewhere, lacking administrative wit ..
- Instead, set up PMA as a sub-domain with its own virtual host
- Whether in the virtual host or htaccess file (for shared it's the latter), deny all except localhost ..
- … requiring users to access it via SSH with port forwarding
- Specify a non-standard port just for PMA
- Use a tool such as OSSEC to block malbots
- Set it up on a totally different box
A touch dramatic? Perhaps a trifle, if security is something to be trifled with? Take what steps you can and consider this: one day you may never know just what a sensible move it was to spend all that time securing your databases.
… Ignorance is, indeed, bliss.
Safer database administration
While there are measures to secure phpMyAdmin's otherwise risky web interface, there are other ways to manage databases that are better, IMHO, and easier to secure.
Learning the intricacies of MySQL syntax and crunching the console could be one of them, cutting out PMA's extraneous control panel along with yet another attack route. Then again, one over-tired slip at the shell and, oops, how recent is that backup?
An alternative is to have a local interface that connects to your data with one of those nice encrypted SSH tunnelly things:
Control panel login
Whether you use cPanel or Plesk with a shared web host or else, say, Webmin or ISPConfig strapped onto a VPS or dedicated server, the principles for securing the control panel are the same as for any GUI panel. (Some of us will have to rely on our web hosting provider's wisdom, sure.) This is equally the case for any type of server-side panel, such as we'll be implementing in wpCop's defense in depth to give us special security functionality such as to help stay on top of server and site logs.
In all cases, a definite double ditto can underline the security provisos listed above for phpMyAdmin. Really, there's no more to add that hasn't been said there so, if in doubt, read it again.
Just keep smiling. 😀