How to secure PhpMyAdmin

So in the last tutorial we learned how to install PhpMyAdmin. The application is a popular target for attackers because there is almost no security by default in the installation.

Step 1. Setup .Htaccess

the first thing we should do is to enable .htaccess in our apache conf.


Remember to save this and then restart Apache

Step 2. Create .htaccess file

So we want to create our .htacces file in /usr/share/phpmyadmin

We will add this into the file

We are going to install an additional package to get this to work

now we have the htpasswd module available

If you want more than one user you can just add them with the command above. just remove the -c flag.

Try to access PhpMyAdmin in your browser, you should be prompted for user name and password.

Step 4. Setup SSL for PhpMyadmin

We are gonna send and receive sensitive data we would like to hold private between us and the server. Therefore we need to make an encrypted connection to the web server. if you already have made your SSL certificate and key you should skip to step 9.

apache have SSL support as a standard so the first thing we want to do is to  activate the SSL  module

To make Apache recognize the changes we need to restart the service


Step 5. Create the Self-Signed Certificate

We need to create a subdirectory in /etc/apache where we are gonna place our SSL certificate files

Now that we have made our folder for the SSL certificate we are going to create the ssl key and certificate.

when you hit enter you wil have to fill in the information you are asked about. The most important is the common name, there should be your domain ow ip-addres.




Step 6. We have made our certificate and our key so it is time to tell  Apache should use these two files.

the file you are gonna see should look somthing like this. you should instert ServerName and change the path for the certificate and the key




Step 7. Activate our SSL Virtual host

To activate our SSL virtual host we should do a

And to load or new host we should restart Apache

if this is a outgoing server you shoould remember to portforwar port 443.


Step 8. Is to test our SSL

We should head into the browser and type Https://type you local ip  or you domain.
You will see a warning because  the SSL certificate is not verified.  This is normal as it is a self signed certificate and we just want our connection to be encrypted. So go a head and press proceed so you can go to you site with an https:// instead of http://
SSL Warning



Step 9. Force Https:// to  PhpMyAdmin

To force PhpMyAdmin use Https://  we need to go into our config. folder

scroll down to the bottom and add this line

Now restart apache to enable the new settings.

now you can acces your_ip_or_domain/phpmyadmin and it will automatic use the https:// connection