It is common, especially for WordPress web hosting, to use MySQL as a database to store the website’s data. But it is not common that these web hosting offers phpMyAdmin as your front-end console to access the database. Some of them are using their in-house database manager to let you manage your data. And that is what we will be showing you in this article. Which is to provide you with the steps to install and secure phpMyAdmin for your websites.
What's In Here
Is It Possible For Me To Install and Secure phpMyAdmin?
But what if you don’t want to use your web hosting’s database manager for some reason and wanted to use phpMyAdmin? Is it possible? The answer is either a yes or no.
No, if your web hosting contract does not include or allow you to install other tools other than what’s in the package. You have to contact your web hosting support team to check with them if they can allow you to use another database manager. Otherwise, then you have the option to install and configure phpMyAdmin to connect to your website.
So, if you are allowed to use another database manager and your web hosting is running in Linux. As an example, Linux 5.17.5 Linode, then we can install and secure phpMyAdmin.
How To Install phpMyAdmin On Linux WordPress Web Hosting
Developers, especially database administrators, won’t have any problems running query tasks with the MySQL database. However, for non-tech people or people with no database management experience, it will be very hard for them to work using terminals. Having a phpMyAdmin installed as a database manager can ease that problem.
In this article, we will be working on a WordPress Linux 5.17.5 Linode environment to set up phpMyAdmin. And for the actual test, we set up a new WordPress installation in our web hosting provider, Cloudways.
1. Using an SSH client, such as PuTTY, log in to your server.
Make sure that you have the appropriate privileges or access to install or run applications before you proceed. Without such privileges, then we won’t be able to download, install, and configure the phpMyAdmin. You can contact your web hosting support and request to provide you with the access you need.
2. Go to your website’s public_html directory and download PHPMyAdmin.
Then you have to navigate to your public_html folder. The public_html folder is an Apache web server directory where all of your web contents are served to the end-users. Hence, this will be our starting point where we will install the phpMyAdmin.
Open a browser and go to the phpMyAdmin download page to get the latest version’s link. At the time of writing this, the latest version is phpMyAdmin 5.2.0. Let us use this version for our demo.
Go back to your SSH terminal and by using the wget command, we will download the phpMyAdmin install package.
wget https://files.phpmyadmin.net/phpMyAdmin/5.2.0/phpMyAdmin-5.2.0-all-languages.zip
3. Extract PHPMyAdmin to start the installation.
Now that we have the phpMyAdmin install package saved in the public_html folder, we should decompress or unpack it.
You can use the command unzip to decompress the zip file in Linux.
unzip phpMyAdmin-5.2.0-all-languages.zip
4. Rename the installed phpMyAdmin directory.
Then you need to rename the phpMyAdmin directory to something generic so that it will be easy to configure. But do not use the common default name “phpmyadmin” because this is the common target of the attackers. You may want to rename it something else, for this example, let’s use “lifeline”.
For example, the phpMyAdmin we downloaded was extracted to a folder named phpMyAdmin-5.2.0-all-languages. By using the command mv, we will rename this directory.
mv phpMyAdmin-5.2.0-all-languages lifeline
5. Test the phpMyAdmin by opening the phpMyAdmin link in a browser.
To test the phpMyAdmin installation if it was successful, open a browser and input your website’s URL then followed by a slash and the new name of your phpMyAdmin directory, i.e. https://<domain name or IP address>/phpmyadmin/.
For example, if your website is https://wordpress-308485-2879598.cloudwaysapps.com/ then your phpMyAdmin link is https://wordpress-308485-2879598.cloudwaysapps.com/phpmyadmin/.
You can now log in using your MySQL or database account.
Add Password-Based Authentication To Secure Your phpMyAdmin
To continue with our “how-to install and secure phpMyAdmin” steps, we need to secure our phpMyAdmin interface.
Maybe you are wondering why we still need to add another layer of security when there is already a login form in phpMyAdmin. Remember, the database is the lifeline of your website and your business. If your data gets compromised, then it may ruin your business – not to mention that it can cost a lot. That is why we have to put restrictions when accessing your phpMyAdmin.
1. Create a .htaccess file in the PHPMyAdmin directory
First, we will need to create a .htaccess file (if not present) inside the phpMyAdmin directory. The .htaccess file will be the high-level configuration of the entire directory. By adding this file, it can override the default Apache configuration and will be applied only inside the directory.
To create a new .htaccess file, if it does not exist, use your server’s text editor. For this example, we will be using the vi editor.
vi .htaccess
Or you can also use the touch command to create the file.
touch .htaccess
2. Create a login account and password using htpasswd
Before we proceed to configure the .htaccess file to use the basic type authentication, we need to create an account and assign a password. This can be done using the htpasswd command.
You will be asked twice for your desired password to confirm.
htpasswd -c .htpasswd phpmyadmin_user
3. Add Basic Type Password Authentication in the .htaccess file
Inside the .htaccess you can add first the following lines to configure your basic type of password authentication.
The purpose of doing this is so that when someone tries to access the link of your phpMyAdmin, they will need to input first the defined username and password before they can access the page.
AuthName "PHPMyAdmin - Restricted Page. Login authorization is required here."
AuthType Basic
AuthUserFile /public_html/lifeline/.htpasswd
Require valid-user
Here’s a high-level explanation of each line.
| Parameter | Example | Notes |
|---|---|---|
| AuthName | AuthName “PHPMyAdmin – Restricted Page. Login authorization is required here.” | This part is the message of the pop-up window when someone tries to access the phpMyAdmin link. |
| AuthType | AuthType Basic | The quickest and basic form of authentication |
| AuthUserFile | AuthUserFile /public_html/lifeline/.htpasswd | Location of the password file |
| Require | Require valid-user | Defined user accounts who are allowed to login |
4. Try to access again your phpMyAdmin page
Usually, the setup above is plug-and-play and there’s no need to restart NGINX or Apache. So, try to access again the phpMyAdmin site and notice that you will be prompted to enter a username and password. This means the authentication you set up is working.
Additional Custom PHP Security Configuration
During the installation of the phpMyAdmin package, it comes with a file named config.sample.inc.php. We can use this to add a custom PHP security configuration for your phpMyAdmin page.
If you open the file config.sample.inc.php using your file editor, you will find a set of pre-made configurations. If you are an advanced user, then it shouldn’t be a problem for you to make the changes – we can discuss them on another topic. For this article, we will just set up the basic configuration to protect your phpMyAdmin page.
1. Create a config.inc.php file
You can use either vi or touch to create the file, as how we showed you earlier when creating the .htaccess file. Example:
vi config.inc.php
2. Type in these basic PHP security configuration
Then you can type (or copy and paste) the following lines inside your config.inc.php file.
$cfg['LoginCookieValidity'] = 14400;
$cfg['LoginCookieRecall'] = false;
$cfg['AllowUserDropDatabase'] = false;
$cfg['ShowServerInfo'] = false;
$cfg['RestrictPaths'] = yes;
With this custom PHP configuration, it will change the default cookie validity timeout. This means that the user will be automatically kicked out/logged out within the defined time. The configuration also will prohibit the user to delete the database and remove the server information display from the phpMyAdmin.
Before We End This Article
There you have it!
The instructions above to install and secure phpMyAdmin, although basic, we are sure that it is enough for you to start using the database tool. You now have an additional means to access your website’s database – if your web hosting already provided one.
From here, you can explore more on how you can add more customization and security to your phpMyAdmin installation.
