True, but that should be locked down? For remote access to sensitive services I use a ssh tunnel to the internal private network, things like MySQL are open only to that network, which allows me to e.g. securely replicate an offsite backup, or if I chose, to run phpMyadmin on my local machine (but there are better tools when you have wire access.) Well, this assumes you control the hardware, or at least ssh access. Not often the case.
I use VLAN tagging and split networking to sequester my administrative sites from those facing the outside world. My NAS heads, PHPmyadmin pages, and any SUDO accesses can only be achieved through a secure SSH connection using certificates, and they’re only accessible within the network.
That being said, PHP is PHP. If it’s infected, it’s infected the entire app, not just a portion of the site.