How to Secure phpMyAdmin : A Step-by-Step Guide

phpMyAdmin is a powerful tool for managing MySQL and MariaDB databases through a web interface. but it can also be a security risk if not properly protected. Hackers often target phpMyAdmin to gain access to sensitive data.

In this guide, I'll walk you through a step-by-step process to secure phpMyAdmin and prevent potential attacks.

Basic Security

• Change the default URL
• Restrict access by IP
• Use strong authentication
• Disable root login
• keep updated

Advanced Security

• Use Fail2Ban to block brute-force attacks
• Install Web Application Firewall (WAF)
• Disable unnecessary features

Basic Security Steps you need to follow

1 ] Change the Default phpMyAdmin URL

Why we Change ?

By default, phpMyAdmin is accessible at https://yourdomain.com/phpmyadmin This makes it an easy target for attackers using automated scanning tools. Changing the URL makes it harder for attackers to locate your phpMyAdmin instance.

How to do it ?

For Apache Users :

• Open the Apache configuration file for phpMyAdmin

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

• Look for the line

Alias /phpmyadmin /usr/share/phpmyadmin

• Change /phpmyadmin to a unique name like /mysecureadmin

Alias /mysecureadmin /usr/share/phpmyadmin

• Save the file and restart Apache

sudo systemctl restart apache2

For Nginx Users :

• Open the Nginx configuration file for your site

sudo nano /etc/nginx/sites-available/default

• Find the location block for phpMyAdmin and rename it

location /phpmyadmin { root /usr/share/phpmyadmin; }

• Change /phpmyadmin to a unique name like /mysecureadmin

location /mysecureadmin { root /usr/share/phpmyadmin; }

• Save the file and restart Nginx

sudo systemctl restart nginx

2 ] Enable HTTP Authentication (Extra Login Layer)

Why we need ?

Adding an extra username/password prompt before accessing phpMyAdmin adds an extra layer of security.

How to do it ?

For Apache Users :

• Create a password file

sudo htpasswd -c /etc/apache2/.pma_pass myadminuser

You’ll be prompted to set a password for myadminuser.

• Edit the Apache configuration file

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

• Add the following lines inside the <Directory> section

<Directory /usr/share/phpmyadmin> AuthType Basic AuthName "Restricted Access" AuthUserFile /etc/apache2/.pma_pass Require valid-user </Directory>

• Save the file and restart Apache

sudo systemctl restart apache2

For Nginx Users :

• Create a password file

sudo htpasswd -c /etc/nginx/.pma_pass myadminuser

• Edit the Nginx configuration file

sudo nano /etc/nginx/sites-available/default

• Inside the location block for phpMyAdmin, add

location /mysecureadmin { auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/.pma_pass; }

• Save the file and restart Nginx

sudo systemctl restart nginx

3 ] Restrict Access by IP Address

Why we need ?

Limiting access to phpMyAdmin only from specific IP addresses reduces the risk of unauthorized access.

How to do it ?

For Apache Users :

• Open the Apache configuration file

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

• Find the <Directory> section and add

<Directory /usr/share/phpmyadmin> Require ip 192.168.1.100 Require ip 203.0.113.5 </Directory>

Replace 192.168.1.100 and 203.0.113.5 with your own IP addresses.

• Save the file and restart Apache

sudo systemctl restart apache2

For Nginx Users :

• Open the Nginx configuration file

sudo nano /etc/nginx/sites-available/default

• Inside the location block for phpMyAdmin, add

location /mysecureadmin { allow 192.168.1.100; allow 203.0.113.5; deny all; }

• Save the file and restart Nginx

sudo systemctl restart nginx

4 ] Disable Root Login in phpMyAdmin

Why we need ?

The MySQL root account has full control over databases, making it a prime target.

How to do it ?

• Open the phpMyAdmin configuration file

sudo nano /etc/phpmyadmin/config.inc.php

• Add this line at the end of the file

$cfg['Servers'][$i]['AllowRoot'] = false;

• Save and close the file

5 ] Keep phpMyAdmin Updated

Why we need ?

New vulnerabilities are discovered over time, so keeping phpMyAdmin updated is crucial.

How to update it ?

• For Ubuntu/Debian

sudo apt update && sudo apt upgrade phpmyadmin -y

• For CentOS/RHEL

sudo yum update phpmyadmin -y

Advanced Security Steps you need to follow

1 ] Set Up Fail2Ban to Block Brute-Force Attacks

Why we need ?

Hackers use brute-force attacks to guess phpMyAdmin passwords. Fail2Ban automatically blocks IPs that attempt too many failed logins.

How to do it ?

• Install Fail2Ban

sudo apt install fail2ban -y

• Create a new filter

sudo nano /etc/fail2ban/filter.d/phpmyadmin.conf

• Add the following content

[Definition] failregex = .*] "POST /phpmyadmin/index.php HTTP/.*" 200 ignoreregex =

• Create a jail configuration file

sudo nano /etc/fail2ban/jail.local

• Add this rule

[phpmyadmin] enabled = true port = http,https filter = phpmyadmin logpath = /var/log/apache2/access.log maxretry = 3 findtime = 600 bantime = 3600

• Restart Fail2Ban

sudo systemctl restart fail2ban

Now, any IP failing 3 login attempts within 10 minutes will be banned for 1 hour.

2 ] Use Web Application Firewall (WAF) to Filter Malicious Traffic

Why we need ?

A Web Application Firewall (WAF) helps block SQL injections, brute-force attempts, and bot attacks.

How to update it ?

• If you use Cloudflare, enable WAF rules for phpMyAdmin

• If using Apache, enable ModSecurity (OWASP ruleset)

sudo apt install libapache2-mod-security2 -y

sudo systemctl restart apache2

• If using Nginx, enable NAXSI WAF

sudo apt install libnginx-mod-naxsi -y

sudo systemctl restart nginx

3 ] Disable phpMyAdmin’s Features You Don’t Need

Why we need ?

phpMyAdmin has many features that may not be needed for basic database management. Disabling unnecessary ones reduces attack surface.

How to update it ?

• Edit phpMyAdmin configuration

sudo nano /etc/phpmyadmin/config.inc.php

• Disable features

$cfg['AllowUserDropDatabase'] = false; // Prevents dropping databases

$cfg['ShowChgPassword'] = false; // Disables password changes from UI

$cfg['NavigationDisplay'] = false; // Disables left panel if not needed

If you follow these step-by-step measures, your phpMyAdmin will be much harder to hack.

if you want any help drop message Aman Reddy

#CyberSecurity #PHPMyAdmin #DatabaseSecurity #WebSecurity #Linux