When setting a new domain, a new webserver or a new database server, a lot of webmasters and webdevelopers use phpMyAdmin to control their MySQL databases. There are some alternatives, but in my opinion phpmyadmin is one of the best available for the web. But where do you have to put phpMyAdmin in your directory structure, while setting up a website?

Most of the times I put it just behind the root, e.g. www.rubenleusink.com/phpmyadmin/. It's just the most handy thing to do for the time being, to place it in your webroot. But even when it's handy, it's also one of the most insecure places for it. Why? I'll explain it right away.

There are an awful lot exploids for phpmyadmin. If you go through your access.log you'll see the enormous amount of requests for different variants of phpmyadmin. I point you to access.log, because Javascript based tracking code like Google Analytics don't track those requests. Watching your access.log, you'll see requests for paths, like:

• /phpMyAdmin
• /PHPmyadmin
• /PhpMyAdmin
• /phpMYadmin
• and so on...

With every update of phpMyAdmin, a new exploid is also coming out. It's not that bad, but you've to remove phpMyAdmin from your webroot. If you don't do that, you have a big change that your server will be compromised with an exploid, writing scripts in your /tmp/ directory and starting bash or perl code to get some new scripts from bad servers, mostly from Russian or Chinese ones.

The code of phpmyadmin wasn't written to be used public on the internet. It was primarily written to administer your mysql database within a secure environment, not to stay on the web.
If you don't want your server to be hacked or being used for other things then serving your webpages, remove phpmyadmin from you webroot directly after you're done setting up your website.