phpMyAdmin is a tool that helps you manage MySQL or MariaDB databases through your web browser. It’s like having a remote control for your database. You don’t have to remember a bunch of SQL commands—you can just click buttons and fill in forms. It’s helpful, especially when you’re not a database pro.
But here’s the thing: because phpMyAdmin runs in your browser, it can be a security risk if you don’t set it up the right way. I’ve learned this the hard way when bots kept trying to log in to mine. It’s like leaving your house door open with a sign that says “Free Snacks Inside.”
So in this post, I’ll show you how to install and secure phpMyAdmin on a Linux VPS (Virtual Private Server). I’ll keep it simple, step-by-step, and clear. If you follow along, you’ll end up with a phpMyAdmin setup that’s a lot harder for hackers to mess with.
Let’s get started.
What You Need First
Before we dive in, make sure you’ve got a few things ready. Here’s what you need:
- A Linux VPS (like Debian, Ubuntu, or CentOS)
- A web server (Apache or Nginx)
- MySQL or MariaDB installed
- A non-root user with sudo access
If you’re not sure what a VPS is: it’s like renting a tiny computer in the cloud. You can install anything on it, just like on your home computer.
I’m using Ubuntu 22.04 with Apache in this example. If you use Nginx, the steps are similar, just the configuration files will be different.
Step 1: Install phpMyAdmin
First, let’s install phpMyAdmin. Open your terminal and type:
sudo apt update
sudo apt install phpmyadmin
During the install, it’ll ask which web server to configure. Choose Apache if you’re using it. If you’re using Nginx, you can skip that part—we’ll configure it manually later.
Also, it’ll ask if you want to set up a database for phpMyAdmin. Choose Yes and set a password when asked. Don’t use “1234” or “password.” Use something weird and hard to guess, like yogurt-shark-999.
When it’s done, phpMyAdmin will be available at:
http://your-server-ip/phpmyadmin
Try opening that in your browser. If you see the login page, you’re halfway there.
Step 2: Add an Extra Lock — Password-Protect the Page
The phpMyAdmin login screen is like the front door to your database. But even that door needs a lock.
So we’ll add another lock before anyone can even see the phpMyAdmin page. This is called “HTTP authentication” or just “basic auth.”
Let’s do it.
1. Create the password file:
sudo apt install apache2-utils
sudo htpasswd -c /etc/phpmyadmin/.htpasswd yourusername
Replace yourusername with anything you like. You’ll be asked to enter a password.
2. Tell Apache to ask for this password:
Open the phpMyAdmin config file:
sudo nano /etc/apache2/conf-available/phpmyadmin.conf
Inside the <Directory /usr/share/phpmyadmin> section, add this:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user
Save and close it. Then restart Apache:
sudo systemctl restart apache2
Now if you go to your phpMyAdmin page, it will ask for your new username and password before showing the actual login page. That’s like adding a bouncer outside the club.
Step 3: Change the URL (Optional but Smart)
Most bots and attackers look for /phpmyadmin. It’s the default. So let’s trick them by changing the path.
If you use Apache:
You can make a custom alias:
- Edit the Apache config:
sudo nano /etc/apache2/conf-available/phpmyadmin.conf
- Change this line:
Alias /phpmyadmin /usr/share/phpmyadmin
To something like:
Alias /banana-control /usr/share/phpmyadmin
(Yes, you can name it anything—go wild.)
- Restart Apache:
sudo systemctl restart apache2
Now phpMyAdmin is at http://your-ip/banana-control.
Bots trying /phpmyadmin will just get a 404 error. It’s like moving your secret treehouse to a new tree.
Step 4: Disable Root Login
Logging in to phpMyAdmin with the MySQL root user is dangerous. If someone guesses that password, they have full control.
So let’s block that.
1. Create a new user for phpMyAdmin:
Log in to MySQL:
sudo mysql -u root -p
Then run:
CREATE USER 'webuser'@'localhost' IDENTIFIED BY 'strong_password_here';
GRANT ALL PRIVILEGES ON *.* TO 'webuser'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Now use webuser to log in to phpMyAdmin. Keep your root user only for terminal access.
You can also edit config.inc.php to deny root access from phpMyAdmin:
sudo nano /etc/phpmyadmin/config.inc.php
Add this line:
$cfg['Servers'][$i]['AllowRoot'] = false;
Save and exit.
Step 5: Use HTTPS
This one’s important. If you log in over HTTP (no S), your password travels across the internet like an open postcard. Anyone watching can read it.
So always use HTTPS.
If you don’t have it yet, install a free SSL certificate with Let’s Encrypt:
sudo apt install certbot python3-certbot-apache
sudo certbot --apache
Follow the prompts. Then visit https://your-domain/banana-control instead of http.
HTTPS turns your data into secret code while it travels. Much safer.
Step 6: Extra Tweaks for Extra Safety
Want to go even further? Here are some bonus tweaks you can try:
- Limit IP Access: Only allow certain IP addresses to visit phpMyAdmin.
- Fail2Ban: Blocks IPs after too many failed logins.
- Disable features: You can turn off things you don’t need in
config.inc.php.
These are like adding alarms and motion sensors to your already locked door.
Quick Checklist
Here’s a summary of the steps we did:
- ✅ Installed phpMyAdmin
- ✅ Added a password before the login page
- ✅ Changed the default URL
- ✅ Disabled root login
- ✅ Switched to HTTPS
Want more ideas to harden your setup? Here’s a bonus list:
- Use a strong MySQL password (not your pet’s name)
- Keep your server and packages up to date
- Don’t use public Wi-Fi when managing phpMyAdmin
And finally, a list of things not to do:
- ❌ Don’t leave
/phpmyadminopen to the world - ❌ Don’t use “root” and “1234” as credentials
- ❌ Don’t skip HTTPS
Final Thoughts
phpMyAdmin makes managing your database much easier, but it also opens a door. You don’t want that door swinging wide open for just anyone.
By adding layers of protection—like passwords, custom URLs, and HTTPS—you make that door a lot harder to break into.
I’ve been running phpMyAdmin on VPS servers for years, and with these steps, I’ve avoided a lot of trouble. And trust me, cleaning up after a hacked database is no fun. It’s like trying to find your socks after a tornado hit your closet.
So, what’s your phpMyAdmin setup like? Do you lock it down like Fort Knox, or is it more like an open picnic?
Let me know if this helped you, or if you ran into any hiccups. I’ve probably hit the same bumps.
Stay safe—and maybe don’t name your login page “banana-control.” Or do. No judgment.
