If any answer is YES → vulnerable. If all NO → well hardened.
—but the login screen remained stubborn. He pivoted to the "verified" methods listed on HackTricks. He checked for the config.inc.php.swp phpmyadmin hacktricks verified
If $cfg['blowfish_secret'] is weak or default, you can decrypt session cookies and impersonate admin. If any answer is YES → vulnerable
