I'm generally not a fan of it, either, but sometimes the (l)users need tools we don't like. So.
1) Run it over TLS only, so that usernames, passwords and other sensitive data doesn't go across in the clear. 2) Lock it down to access only from trusted IP addresses (you can do this a variety of ways with the help of pf, running on alternate ports, a different IP, etc) 3) use the authenticate directive, e.g. authenticate "admin.example.com" with htpasswd as a second layer of defense to the MySQL login for PHPMA 4) Make sure that MySQL users have the least privileges necessary to operate. On Tue, Jun 13, 2017 at 4:56 PM, Stuart Henderson <[email protected]> wrote: > On 2017-06-13, Markus Rosjat <[email protected]> wrote: > > would like to get opinions on securing the whole thing ...still :) > > Deleting phpmyadmin would be a good start :-) > > >
