How to Secure phpMyAdmin on Ubuntu 18.04 VPS or Dedicated Server

PhpMyAdmin is the most popular web-based database administration software. It is widely used to manage MySQL and MariaDB databases due to its easy-to-use and intuitive interface.

Since the phpMyAdmin interface is accessible via a web browser, malicious users often target their attacks on this software. Attacks range from brute-forcing passwords to DDoS (Distributed Denial of Service) attacks.

In this guide, we will focus on securing phpMyAdmin on your Ubuntu 18.04 VPS or dedicated server to ensure your databases are not compromised.

Prerequisites

  • A VPS plan
  • MySQL or MariaDB
  • A non-root user with sudo privileges
  • PHP and Apache web server

Step 1: Install phpMyAdmin

Before you begin, you can install phpMyAdmin using the commands below on your Ubuntu 18.04 server:

$ sudo apt-get update
$ sudo apt-get install phpmyadmin

Press Y and hit Enter when prompted to confirm the installation

Towards the end of the installation, you will be prompted to choose a web server. Select apache2 then hit TAB and Enter.

PhpMyAdmin requires a database before it can be used. On the next screen, you will be prompted to confirm this:

Configure database for phpMyAdmin with dbconfig-common?

Select ‘Yes’ and hit Enter to proceed.

Next, provide a password for phpMyAdmin to register with the database server. Then, Press TAB and hit Enter to Continue

Confirm your password on the next screen then, Press TAB and hit Enter to Continue

PhpMyAdmin will finalize installing all the required files and create a database for administration purposes.

Step 2: Enable phpMyAdmin Configuration File

Next, we need to create a symbolic link for phpMyAdmin under the directory ‘/etc/apache2/conf-available/’.

You can do this by running the commands below:

$ sudo ln -s /etc/phpmyadmin/apache.conf  /etc/apache2/conf-available/phpmyadmin.conf

$ sudo a2enconf phpmyadmin.conf

Then, restart apache for the changes to take effect:

$ sudo service apache2 reload

Step 3: Test the Installation

Up to this point, you can visit phpMyAdmin via the URL below. Remember to replace ‘example.com’ with your server’s IP address or domain name:

http://ip_adress/phpmyadmin

If the setup was completed successfully, you should see the below phpMyAdmin login page. You can enter your MySQL username and password to login:

Step 4: Securing phpMyAdmin

Anyone with an internet connection and a browser can access your phpMyAdmin login page if you don’t provide an additional layer of security. Hackers may also redirect their bots to this page to brute-force your password and if you have used very weak passwords, your databases may be compromised.

To avoid such disgusting scenarios, you need to secure your phpMyAdmin login page. Apache web server has a built-in authentication and authorization functionalities and we are going to use it here.
First, you need to edit the configuration file which we linked to apache using a nano editor:

$ sudo nano /etc/apache2/conf-available/phpmyadmin.conf

We are going to add the line ‘AllowOverrideAll’ between the ‘<Directory> </Directory>’ tags to ensure that Apache will accept ‘.htaccess file’

<Directory /usr/share/phpmyadmin>
...
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All

...
</Directory>

Once you make the changes, press CTRL + X, Y and hit Enter to save the file.

Then, you need to restart Apache one more time:

$ sudo systemctl restart apache2

Step 5: Creating a ‘.htaccess’ File

You can now create a ‘.htaccess’ file under the /usr/share/phpmyadmin/ directory

$ sudo nano /usr/share/phpmyadmin/.htaccess

Then, copy paste the below information on the file

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

As you can see above, we are using basic Authorization. The text ‘Restricted Files’ will be shown to users who visit our phpMyAdmin URL. Also, we are going to store the hashed passwords under the ‘/etc/phpmyadmin/.htpasswd’ file. The entry ‘Require valid-user’ states that only authenticated users will be allowed to access the content on this URL.

Press CTRL + X, Y and hit Enter to save the file.

On the ‘.htaccess’ file above, we have selected the password file to be located on /etc/phpmyadmin/.htpasswd, we can now start populating the file with users using the commands below. Remember to replace ‘james’ with your preferred username

$ sudo htpasswd -c /etc/phpmyadmin/.htpasswd james

You will be prompted to enter and confirm a password for the user

If you want to create additional users, run the command one more time but omit the -c flag as shown below:

$ sudo htpasswd /etc/phpmyadmin/.htpasswd john

Step 6: Test the Configuration

If you visit the phpMyAdmin URL, you will be prompted to enter a username and password before you even get to the login page of your database:

http://ip_address/phpmyadmin

Once you enter the correct credentials, you will be taken to the regular phpMyAdmin login page. This adds a second layer of security to your phpMyAdmin software.

Conclusion

On this guide, we have shared the basic steps of installing and securing phpMyAdmin on your Ubuntu 18.04 server. You should also install an SSL certificate on your server to avoid man-in-the-middle attacks.

Without SSL, a malicious internet service provider or Wifi provider may intercept your unencrypted phpMyAdmin details as they travel across the network. Also, consider disabling root access to your MySQL/MariaDB servers from the phpMyAdmin software.

 

Check out these top 3 VPS services:

Was this article helpful?