All these precautions are good, but I have applied an extra security layer which is best to stop brute-forcing.
Example:-
create a php function that gets user ip.
e.g
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
if you cant find the ip return false because it is not a valid user
if ip found then use geoplugin.net api to get user location via curl
eg:
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, "
http://www.geoplugin.net/json.gp?ip=".$ip);
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, TRUE);
$ip_data_in = curl_exec($ch2); // string
curl_close($ch2);
this piece of code will return json data of the user ip
eg:
{
"geoplugin_request":"104.196.xx.xxx",
"geoplugin_status":200,
"geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",
"geoplugin_city":"Mountain View",
"geoplugin_region":"CA",
"geoplugin_areaCode":"650",
"geoplugin_dmaCode":"807",
"geoplugin_countryCode":"US",
"geoplugin_countryName":"United States",
"geoplugin_continentCode":"NA",
"geoplugin_latitude":"37.4192",
"geoplugin_longitude":"-122.0574",
"geoplugin_regionCode":"CA",
"geoplugin_regionName":"California",
"geoplugin_currencyCode":"USD",
"geoplugin_currencySymbol":"$",
"geoplugin_currencySymbol_UTF8":"$",
"geoplugin_currencyConverter":1
}
now you can decode the json strings into php array and get the ip location eg: city, region, country
eg:
$ip_data = json_decode($ip_data_in,true);
$ip_data = str_replace('"', '"', $ip_data);
if(isset($ip_data) && !empty($ip_data['geoplugin_countryName'])) {
$user_ip = trim($ip_data['geoplugin_request']);
$city = trim($ip_data['geoplugin_city']);
$region = trim($ip_data['geoplugin_region']);
$country = trim($ip_data['geoplugin_countryName']);
return $userData=array('userIP'=>$user_ip,'userCity'=>$city,'userRegion'=>$region,'userCountry'=>$country,);
}else{
return false;
}
so now the actual logic starts here, normally a server owner uses it home or office internet connection, never change its ISP frequently and also not use of proxy ips to login its server. so all the time server administrator use the same location. In my case my ISP provide mostly use three locations of my country and assign it to my ip.... my country never change but cities are changed when i reboot my router.
so the point is above code will return country and city as well... you can apply these check to restrict unwanted login attempt which is as follow:-
call this function at the very first line of index.php of phpmyadmin within <?php tag
$user_trace=ip_visitor_country();
$allowed_cntry = array('United States');
$allowed_city = array('New York', 'Los Angeles', 'Chicago');
if(!in_array($user_trace['userCity'], $allowed_city) || !in_array($user_trace['userCountry'], $allowed_cntry)){
echo "Access Denied";
die();
}
now the phpmyadmin will be only access in the United States within three locations 'New York', 'Los Angeles', 'Chicago'. other wise it will die the further execution of code.
as you all knows very well brute-force use script to change the ip on every attempt.
so the above code will not give them a single chance to reach at user and password fields...
if you like this method... you can use it and get tension free from brute forcing :)
Thanks