Security pros recommend against using the WP-phpmyadmin plugin

5 Comments

Dre Armeda of Sucuri Security has recommended against using the WP-phpmyadmin plugin for security reasons. According to Armeda his security team has seen multiple sites hacked via the plugin and are still investigating the issue. The plugin was developed four years ago to incorporate phpMyAdmin directly into the WordPress Dashboard.

The plugin is currently not in the WordPress.org Plugin Directory as it was removed for potentially exposing server information when using the plugin. While no one can download the plugin now, its still possible you could be running the plugin.

Armeda also recommends Sucuri’s sitecheck tool to determine whether your site is currently compromised, by WP-phpmyadmin or anything else.

Have you ever use the WP-phpmyadmin plugin? Have you ever run into a security issue on your site that was introduced by a plugin?

5 thoughts on “Security pros recommend against using the WP-phpmyadmin plugin

  1. I have used it, recently in fact. It comes in handy when developing sites on hosts that deny user access to the database.ly

    When I’ve used it, in rare cases under rare circumstances, I’ve always deleted it directly after I was done using it – – not because I knew of any security risks involved, but because it seemed rather dangerous to leave the phpmyadmin hanging open like that in a user Dashboard where that user may not be too saavy about such things.

    “Ooooo, what’s this…shiny!” *click* ….. *oops*

    • Hi Lisa, we’ve been asked about other plugins that are similar, and although they may not be insecure, there is always the risk of the site being exploded by an inexperienced user :/

      We’d recommend against it altogether if avoidable.

      Cheers!

  2. I’ve used the Portable phpMyAdmin plugin instead, which also had a similar issue (and which was fixed in the latest version).

    For plugins like this, I agree with Lisa. Install it, do what you need to do, remove it. Users are rarely savvy about that sort of thing.

    • Exactly Otto, it could be very dangerous in a production environment without the proper access control around it.

  3. Interesting you mention this as I use it all the time when clients don’t or can’t give me cPanel access. But I always deactivate and delete after using it, as like Lisa said it always seemed rather dangerous to me.

Comments are closed.