PhpMyAdmin is the most popular web-based database administration software. It is widely used to manage MySQL and MariaDB databases due to its easy-to-use and intuitive interface.
Since the phpMyAdmin interface is accessible via a web browser, malicious users often target their attacks on this software. Attacks range from brute-forcing passwords to DDoS (Distributed Denial of Service) attacks.
In this guide, we will focus on securing phpMyAdmin on your Ubuntu 18.04 VPS or dedicated server to ensure your databases are not compromised.
- A VPS plan
- MySQL or MariaDB
- A non-root user with sudo privileges
- PHP and Apache web server
Step 1: Install phpMyAdmin
Before you begin, you can install phpMyAdmin using the commands below on your Ubuntu 18.04 server:
$ sudo apt-get update $ sudo apt-get install phpmyadmin
Press Y and hit Enter when prompted to confirm the installation
Towards the end of the installation, you will be prompted to choose a web server. Select apache2 then hit TAB and Enter.
PhpMyAdmin requires a database before it can be used. On the next screen, you will be prompted to confirm this:
Configure database for phpMyAdmin with dbconfig-common?
Select ‘Yes’ and hit Enter to proceed.
Next, provide a password for phpMyAdmin to register with the database server. Then, Press TAB and hit Enter to Continue
Confirm your password on the next screen then, Press TAB and hit Enter to Continue
PhpMyAdmin will finalize installing all the required files and create a database for administration purposes.
Step 2: Enable phpMyAdmin Configuration File
Next, we need to create a symbolic link for phpMyAdmin under the directory ‘/etc/apache2/conf-available/’.
You can do this by running the commands below:
$ sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf $ sudo a2enconf phpmyadmin.conf
Then, restart apache for the changes to take effect:
$ sudo service apache2 reload
Step 3: Test the Installation
Up to this point, you can visit phpMyAdmin via the URL below. Remember to replace ‘example.com’ with your server’s IP address or domain name:
If the setup was completed successfully, you should see the below phpMyAdmin login page. You can enter your MySQL username and password to login:
Step 4: Securing phpMyAdmin
Anyone with an internet connection and a browser can access your phpMyAdmin login page if you don’t provide an additional layer of security. Hackers may also redirect their bots to this page to brute-force your password and if you have used very weak passwords, your databases may be compromised.
To avoid such disgusting scenarios, you need to secure your phpMyAdmin login page. Apache web server has a built-in authentication and authorization functionalities and we are going to use it here.
First, you need to edit the configuration file which we linked to apache using a nano editor:
$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf
We are going to add the line ‘AllowOverrideAll’ between the ‘<Directory> </Directory>’ tags to ensure that Apache will accept ‘.htaccess file’
<Directory /usr/share/phpmyadmin> ... Options SymLinksIfOwnerMatch DirectoryIndex index.php AllowOverride All ... </Directory>
Once you make the changes, press CTRL + X, Y and hit Enter to save the file.
Then, you need to restart Apache one more time:
$ sudo systemctl restart apache2
Step 5: Creating a ‘.htaccess’ File
You can now create a ‘.htaccess’ file under the ‘/usr/share/phpmyadmin/’ directory
$ sudo nano /usr/share/phpmyadmin/.htaccess
Then, copy paste the below information on the file
AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/phpmyadmin/.htpasswd Require valid-user
As you can see above, we are using basic Authorization. The text ‘Restricted Files’ will be shown to users who visit our phpMyAdmin URL. Also, we are going to store the hashed passwords under the ‘/etc/phpmyadmin/.htpasswd’ file. The entry ‘Require valid-user’ states that only authenticated users will be allowed to access the content on this URL.
Press CTRL + X, Y and hit Enter to save the file.
On the ‘.htaccess’ file above, we have selected the password file to be located on ‘/etc/phpmyadmin/.htpasswd’, we can now start populating the file with users using the commands below. Remember to replace ‘james’ with your preferred username
$ sudo htpasswd -c /etc/phpmyadmin/.htpasswd james
You will be prompted to enter and confirm a password for the user
If you want to create additional users, run the command one more time but omit the -c flag as shown below:
$ sudo htpasswd /etc/phpmyadmin/.htpasswd john
Step 6: Test the Configuration
If you visit the phpMyAdmin URL, you will be prompted to enter a username and password before you even get to the login page of your database:
Once you enter the correct credentials, you will be taken to the regular phpMyAdmin login page. This adds a second layer of security to your phpMyAdmin software.
On this guide, we have shared the basic steps of installing and securing phpMyAdmin on your Ubuntu 18.04 server. You should also install an SSL certificate on your server to avoid man-in-the-middle attacks.
Without SSL, a malicious internet service provider or Wifi provider may intercept your unencrypted phpMyAdmin details as they travel across the network. Also, consider disabling root access to your MySQL/MariaDB servers from the phpMyAdmin software.
Check out these top 3 VPS services: