You are Here:Home>>Code>>Databases>>Best Practice to Install and secure phpMyAdmin on LAMP stack

Best Practice to Install and secure phpMyAdmin on LAMP stack

Carlos Pinho
By | 2017-09-07T12:43:27+00:00 Jul 24, 2017|Databases|

In this article, we will explain how to install phpMyAdmin on a LAMP stack server, with step by step instructions. Next, we will show how to secure phpMyAdmin with some measures in order to avoid external unauthorized access to your web app. This install and secure phpMyAdmin article is covering the most used procedures among developers and easy to be followed. Of course that, still not 100% successful and this is something you should always bear in mind.

If you are looking for a VPS to start working or giving the first steps on non-manage hosting, feel free to open an account at Digital Ocean and get a credit of USD 10, so you can immediately start working on it, you just need to add the discount coupon code ACTIVATE10.

Install and Secure phpMyAdmin

phpMyAdmin is an administrative tool written in PHP, to enable you to manage the administration of MySQL over the web. Most of the operations can be made via the user interface, still giving you the chance to run SQL statements.

phpMyAdmin is a very popular tool, not only for developers but mostly for nondevelopers, since it gives the ability to perform several operations using a graphical interface instead of from a command line. If you are interested in learning more about phpMyAdmin, you can find out more information from their official website.

Depending on the OS of your server, the way to install phpMyAdmin can be different. So, in this article, we will be going to cover the steps to install and secure phpMyAdmin in a LAMP stack.

Install phpMyAdmin

LAMP is a group of open software which includes a Linux operating system, Apache, MySQL, and PHP.

In this case, we are basing the install process in a Ubuntu 16.04, Debian7, CentOS 7 and RHEL7.

Installing phpMyAdmin on Ubuntu 16.04 and Debian 7

First, we are going to update the local package index and then get and install the phpMyAdmin files in the system.

sudo apt-get update
sudo apt-get install phpmyadmin php-mbstring php-gettext

You will be prompted to some questions so you can get your installation configured correctly.

It is important that in the first screen you make sure apache2 is selected (not only highlighted). For that use Space, then using Tab go to Ok and hit Enter.

When it comes to server selection, you should choose apache2. Select dbconfig-common to setup database. Then write the administrator database password and confirm it.

Now we will need to enable mcrypt and mbstring. For that execute the following commands:

sudo phpenmod mcrypt
sudo phpenmod mbstring

Once extensions are enabled, we need to restart Apache.

sudo systemctl restart apache2

Now you should be able to access phpMyAdmin in the browser.

Check the phpMyAdmin URL as per below:

https://yourdomain.com/phpmyadmin

Installing phpMyAdmin on CentOS 7 and RHEL 7

We will need first to get the EPEL (Extra Packages for Enterprise Linux) and only then, install the phpMyAdmin. So, let’s install EPEL first executing the following command:

sudo yum install epel-release

In case the EPEL is not available at your VPS, you will need to get it from the respective repositories:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

Now we can install the phpMyAdmin using the following command:

sudo yum install phpmyadmin

Once the phpmyadmin is installed, we will need to edit its config file located at /etc/httpd/conf.d/phpMyAdmin.conf. You can do it executing the following command:

sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

# Require ip 127.0.0.1
# Require ip ::1
Require all granted

Once extensions are enabled, we need to restart Apache.

sudo systemctl restart httpd.service

Now you should be able to access phpMyAdmin in the browser.

Check the phpMyAdmin URL as per below:

https://yourdomain.com/phpmyadmin

Secure phpMyAdmin

Since phpMyAdmin is now accessible from URL, it would be important to increase the security of it. There are some tips we can use to secure phpMyAdmin, or at least increase the level of protection. Therefore we will need to add an extra login access to it. Also, remember that most likely you have more than one MySQL user configured, the root, which gives you a global access to all databases in the server, and other users like in WordPress, besides phpMyAdmin user.

Change Default phpMyAdmin login URL

On Ubuntu and Debian go to etc/phpmyadmin/ and open apache.conf file.

If you are using the ssh access, execute the following command:

sudo nano /etc/phpmyadmin/apache.conf

On CentOS and RHEL go to etc/httpd/conf.d/ and open phpMyAdmin.conf file.

sudo nano /etc/httpd/conf.d/phpmyadmin.conf

Now let’s edit the file by changing:

Alias /phpmyadmin /usr/share/phpmyadmin

to

Alias /anyalias /usr/share/phpmyadmin

Where anyalias is the URL directory name you want to use, like “https://mydomain.com/anyalias/”.

Now we need to restart apache in order this change can have an effect.

In Ubuntu and Debian:

sudo service apache2 restart

In CentOS and RHEL:

sudo systemctl restart httpd.service

Now if you check https://mydomain.com/anyalias/ the phpMyAdmin page should be accessible, while the regular URL will return a 404 error page.

Using .htaccess and Password Authentication

Another good practice to secure phpMyAdmin is to enable a password authentication to the phpMyAdmin URL. We will do that using an .htaccess file.

In order to do that, we will need first to edit the phpMyAdmin configuration file at Apache configuration directory to enable the use of the .htaccess file by giving a directive to override settings.

The following command will open the file in nano editor from the command line.

For Ubuntu and Debian

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

For CentOS and RHEL

sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

Now we will need to add an AllowOverride All instruction to the <Directory /usr/share/phpmyadmin/>.

<Directory /usr/share/phpmyadmin>
AllowOverride All

We will need to restart the service so the change has an effect.

In Ubuntu and Debian:
sudo service apache2 restart

In CentOS and RHEL:
sudo systemctl restart httpd.service

Now we will need to create the .htaccess file by using the following command:

For Ubuntu and Debian:
sudo nano /usr/share/phpmyadmin/.htaccess

For CentOS and RHEL:
sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

And add the type of authentication we want to implement and its details. Copy the following lines to the .htaccess file:

AuthType Basic
AuthName "Admin Login"
AuthUserFile /path_to_password/.htpasswd 
Require valid-user

Note that you should change the AuthUserFile path to the one you think is appropriated, bearing that it should be always located outside the directories that are being served.

So, we have so far enabled the use of .htaccess, set the password location and now we need a password file.

In order to accomplish this, we will need to have the htpasswd utility available in Apache. Therefore we will need to install the utility Apache package by executing the following command:

For Ubuntu or Debian

sudo apt-get install apache2-utils

For CentOS and RHEL

yum install httpd-tools

Once we have the Apache utilities installed, we will create the .htpasswd file in the directory you had set in the .htaccess file “AuthUserFile /path_to_password/.htpasswd “.

For Ubuntu or Debian

sudo htpasswd -c /path_to_password/.htpasswd username

For CentOS  and RHEL

sudo htpasswd -c /path_to_password/.htpasswd username

You will be then prompted to enter and confirm a password for the user.

Note: Despite the use of .htpasswd is the standard name that is used, you can always use any other denomination you like, as long as you state it in the .htaccess as well.

Despite the use of .htpasswd is the standard name that is used, you can always use any other denomination you like, as long as you state it in the .htaccess as well.

Now if you check the URL of your phpMyAdmin https://mydomain.com/anyalias/ you will be prompted to an additional account name and password before accessing the phpMyAdmin login page.

Use HTTPS on phpMyAdmin

The use of a Secure Socket Layer (SSL) certificate to secure the communication between the client and the server and avoid the username and password to be transmitted in plain text is another good practice to secure phpMyAdmin. In fact, you should use and HTTPS not only for phpMyAdmin but for any web application that needs login credentials.

Just to give you an idea on a simple process that sniffs this kind of information, using tcpdump there are some nice examples on the web showing how easy is to gather the login information as it is transmitted in plain text which makes life easy for someone who wants to gather this information to take control of the application.

By executing the below command, you can test and confirm whether any login information is being transmitted in plain text.

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

Besides, security is not only about login credentials on a web application, but also about any other information being transmitted between two sides like for instance an email. Most of the web applications do not use yet two-factor authentication method. So, if someone is able to intercept packages from a registration email, that is being transmitted/received without SSL / TLS, most likely it will be possible to get that information on plain text and use it.

There are several ways to get your web app using SSL. We have covered in the past a tutorial explaining how to setup a free SSL to your web app with CloudFlare without the need to install it on your server, but there are other methods you can use like with Let’s Encrypt, Symantec’s FreeSSL, Comodo (90 days only), StartCom, WoSign (2Years) and other.

Use a VPN service when using a free public connection

Well, this is not much a hint for the phpMyAdmin, but as a general practice to any operation you make on the internet, either using mobile, tablet or laptop. We recommend a service like NordVPN, the most popular VPN provider at moment. With a military level of communication encryption will give you an extra layer of security when managing your websites.

Conclusion

This step by step tutorial tries to give you a clear view on how to install and secure phpMyAdmin, with a wide range of ideas to add several layers of security to your web applications. In fact, most of these practices can be replicated to any other applications besides phpMyAdmin.

Although, the best recommendation we can give is to host your MySQL and phpMyAdmin out from your website server. This will become helpful especially when your web app starts to grow and require additional resources, and on the other hand, an additional improvement to security.

Have you enjoyed this tutorial? If so, supports us by sharing this article or Become a Patron!

About the Author:

Carlos Pinho
A father, a husband and a geek... Carlos was the founder of projects like The Tech Labs and Flash Enabled Blog. He is the founder of TekTuts He is passionate about technologies. Their main skills are in analytics, transport & logistics, business administration. He also writes about programming resources, trends, strategy and web development.