Disabling phpMyAdmin in Azure App Service WordPress Installations

Introduction

When you set up WordPress on Azure App Service using the Create WordPress on App Service option, you might notice that phpMyAdmin is enabled by default. This is because phpMyAdmin comes bundled with the Docker image Azure employs for this particular WordPress deployment. While phpMyAdmin is a potent tool, there might be scenarios where you'd want to keep it deactivated, especially from a security standpoint. In this blog post, we'll walk you through the steps to deactivate phpMyAdmin. Moreover, if have Azure Front Door, there's an added layer of security you can implement. By leveraging Azure Front Door in tandem with a Front Door WAF policy, you can block specific URI strings. In simpler words, you can regulate traffic to your site based on predefined criteria.

Example Rule in Front Door WAF policy's Custom Rules:

If:
   - Match Type: String
   - Match Variable: Request URI
   - Operator: Contains
   - Match Values: phpMyAdmin
Then:
   Deny Traffic

To quickly check if the response from your Azure Front Door contains the message "The request is blocked", you can use the following curl command:

curl -s [your_website_url] | grep 'The request is blocked.'

If the output displays <h2>The request is blocked.</h2>, it indicates the specific string is present in the response. Additionally, phpMyAdmin can be fully disabled, rather than just being intercepted through Azure Front Door.

# Log into Azure:
az login

# Select your Azure subscription:
az account list --output table
az account set --subscription [id]

# Deactivate phpMyAdmin in your App Service settings:
az webapp config appsettings set --name [YourWebAppName] --resource-group [YourResourceGroupName] --settings SETUP_PHPMYADMIN=false

# Confirm the change:
az webapp config appsettings list --name [YourWebAppName] --resource-group [YourResourceGroupName]