How to Secure phpMyAdmin? Tunneling?

I'm completely new to setting up web servers, so forgive my noobishness. I'm running Ubuntu 8.04. I'd like to use phpMyAdmin because it's what I'm used to, but I'm open to other suggestions. A lot of people have said that it's easily hackable.

The awesome people in irc told me to use SSL. I tried that and was able to get SSL running, but I couldn't seem to find any directions / tutorials that went from start to finish with configuring it to work specifically with phpMyAdmin only (it required https for all sites).

I came across a lot of people suggesting SSH tunneling. Unfortunately all google results for phpMyAdmin and ssh tunneling didn't seem to work. Either files weren't where they said they were, or the commands didn't seem to work.

Tunneling seems like to way to go… but I can't find documentation that works. I'm a noob, so it has to be step-by-step. Any ideas?

Edit: Would it be an option to install phpMyAdmin, add the database and user privileges I need, then remove phpMyAdmin. I tried that, and it seems to work… but obviously this isn't a "good" fix.

8 Replies

You could use the authentication of your webserver (Lighttpd, Apache, ..) to set an extra user/password on the whole phpmyadmin folder. And maybe a fail2ban rule to scan you webserver log for password guesses?

1) Tunneling:

– Make Apache listen on (or any other port)

-- Add a virtualhost to, put phpmyadmin on it

-- In SSH/PuTTY, forward local port 8080 (or any other port) to remote port 80 (ssh -L 8080:localhost:80)

-- Log in to the server

-- While logged in, point your web browser at http://localhost/phpmyadmin

-- Enjoy your secure connection

2) Quick fix without any fancy stuff

-- Create an .htaccess file in your phpmyadmin directory with the following content:

Order deny,allow

allow from

deny from all

(Replace with your IP address)

> I couldn't seem to find any directions / tutorials that went from start to finish with configuring it to work specifically with phpMyAdmin only (it required https for all sites).

I don't have specifics for you - especially since I don't use Apache2 - but this is doable. Set up your website as normal, with say a DocumentRoot of /var/www. Then set up a folder outside of this root, say /var/www-ssl, and installed phpMyAdmin to there. In your Apache config, around where you define the SSL listener (something like iirc), point it at the different DocumentRoot there. Then, only phpma will be accessible over https, and everything else will be accessible over http. (You can create symlinks from /var/www-ssl/foo to /var/www/foo if you want some things to be accessible over both).

This is how I handle it on one site, kind of a hybrid of hybinet's approach:

    Alias /pma/ "/usr/share/phpmyadmin/"
    <directory "="" usr="" share="" phpmyadmin="">Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order allow,deny
# Only allow access to phpMyAdmin from localhost
        Allow from</directory> 

This only allows access to from the local machine. I forward a local port via ssh (ssh -L 8080:localhost:80) then access phpMyAdmin via http://localhost:8080/pma/ on my desktop machine. This was simpler than going through the whole rigamarole of setting up SSL. The limitation is that you can't give someone access to phpMyAdmin without also giving them a login on the machine.

Edit: another limitation is that if you are using virtual hosts, this only works for the first (default) one. That is, the one you would reach if you surfed to the machine's IP address (e.g.,

I just put a .htaccess/.htpasswd, with a dead simple user/pass, with fail2ban, and that keeps people out of it.

Why not alias it? And use https…

 <virtualhost yourip:443="">ServerName
   DocumentRoot /var/www/


   ### Hide phpmyadmin
   Alias /phpmyadmin /var/www/
   Alias /atopsecretfoldername /var/www/phpmyadmin/



It's weak; but watch your logs, I bet no one ever looks for any files in atopsecretfoldername. It's bullet-proof right?

It's the easiest thing I came up with and I've yet to get any hits in it except me. You can log in from any computer, no extra username/passwords to enter.

Hope it helps.

Aside from the suggestions already mentioned, if you're using any kind of script to generate XML sitemaps on your server, it's a good idea to make sure you're excluding sensitive directories from them. There should be multiple barriers between a potential attacker and anything sensitive, but it never helps if such directories wind up in search engine indexes.

If you're going to use any sort of password based authentication for that site, run it through SSL.

My site has its administrative interface running over SSL, and mod-auth-shadow. This allows passwords to not be passed in clear text, and me to control access based on local system accounts.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct