How to Secure phpMyAdmin on a VPS Server: Step-by-Step Guide
What is phpMyAdmin?
phpMyAdmin is a free, open-source web application written in PHP that provides a user-friendly interface for managing MySQL or MariaDB databases. Instead of typing out SQL commands in the terminal, phpMyAdmin allows you to:
- Browse and edit database tables
- Run SQL queries with syntax highlighting
- Import and export databases in various formats (like SQL, CSV, and Excel)
- Manage users and permissions
- Monitor server status and performance
Because it’s web-based and incredibly powerful, phpMyAdmin is a favorite tool for developers, sysadmins, and anyone managing a database-heavy application like WordPress, Laravel, or custom PHP sites.
However, with convenience comes risk — and if you’re running phpMyAdmin on a VPS (Virtual Private Server), it’s critical to secure it properly. Left exposed, it becomes a prime target for hackers and bots trying to brute-force their way into your data.
In this guide, we’ll walk you through essential security steps to harden phpMyAdmin when it’s installed on a VPS with Apache web server.
📋 Prerequisites
- A VPS with Apache/Nginx, PHP and MySQL are installed
- phpMyAdmin installed
- Root or sudo access to your server
- Basic comfort with the terminal
🔄 1. Keep Your Server and phpMyAdmin Updated
Before anything else, make sure your server and software are up to date
sudo apt update && sudo apt upgrade -y
This ensures you have the latest security patches — a critical first step in any hardening process.
🔐 2. Change the phpMyAdmin URL (Apache)
By default, phpMyAdmin is accessible at https://yourdomain.com/phpmyadmin, which is predictable and frequently targeted by bots.
Let’s change it to something unique.
1. Open the phpMyAdmin Apache configuration file:
sudo nano /etc/apache2/conf-available/phpmyadmin.conf
2. Find this line:
Alias /phpmyadmin /usr/share/phpmyadmin
3. Replace it with a custom path, for example:
Alias /myhiddenpanel /usr/share/phpmyadmin
4. Save the file and reload Apache:
sudo systemctl reload apache2
🔄 Important Note:
After this change, the original /phpmyadmin URL will no longer work. Only your new custom URL (/myhiddenpanel, or whatever you set) will be valid. Anyone trying the default path will get a 404 error — which is exactly what you want.
🔒 3. Set Up HTTP Basic Authentication
Adding a password wall before even reaching the phpMyAdmin login adds a strong layer of protection.
1. Install htpasswd:
sudo apt install apache2-utils
2. Create a password file and user:
sudo htpasswd -c /etc/phpmyadmin/.htpasswd adminuser
3. Update your Apache config (phpmyadmin.conf) and add this inside the
<Directory /usr/share/phpmyadmin>
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user
</Directory>
4. Reload Apache:
sudo systemctl restart apache2
Now, visitors must enter this additional username/password before seeing the phpMyAdmin login page.
🔐 4. Enable HTTPS with Let’s Encrypt
Don’t let anyone sniff your login credentials over HTTP.
1. Install Certbot:
sudo apt install certbot python3-certbot-apache
2. Run Certbot for Apache:
sudo certbot --apache
3. Follow the prompts and select your domain.
Let’s Encrypt certificates auto-renew and keep your site secure over HTTPS.
🧱 5. Restrict Access by IP (Optional but Recommended)
Limit access to phpMyAdmin to your IP address only.
In your phpmyadmin.conf file:
<Directory /usr/share/phpmyadmin>
Order Deny,Allow
Deny from all
Allow from YOUR.IP.ADD.RESS
</Directory>
Replace YOUR.IP.ADD.RESS with your own static IP address (use whatismyip.com to find it).
Then restart Apache:
sudo systemctl restart apache2
This makes phpMyAdmin completely inaccessible to everyone else.
🚫 6. Disable Root Login in phpMyAdmin
It’s best practice to disable MySQL root access from the web.
1. Log in to MySQL:
sudo mysql -u root -p
2. Either change the root plugin or create a limited user for phpMyAdmin:
ALTER USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
FLUSH PRIVILEGES;
3. Or create a new database user with limited privileges for phpMyAdmin use.
🛡️ 7. Enable a Firewall & Fail2Ban
Block unwanted traffic and brute-force attempts.
1. UFW (Uncomplicated Firewall):
sudo ufw allow OpenSSH
sudo ufw allow 'Apache Full'
sudo ufw enable
2. Install Fail2Ban:
sudo apt install fail2ban
Fail2Ban will monitor logs and block repeated failed login attempts.
✅ Final Security Checklist
- Changed default /phpmyadmin URL
- Added HTTP Basic Authentication
- Enabled HTTPS with Let’s Encrypt
- Limited access by IP
- Disabled MySQL root login from web
- Configured firewall and Fail2Ban
- Keep server updated regularly
🧠 Bonus Tips
- Use VPN or SSH tunneling for accessing phpMyAdmin, and disable public access entirely.
- Set up two-factor authentication (2FA) for phpMyAdmin if possible using plugins.
- Monitor your Apache logs for suspicious access attempts.
🚀 Conclusion
phpMyAdmin is an incredibly powerful tool for managing your databases — but with great power comes the responsibility to secure it.
By following these steps, you’re not only protecting your VPS and database but also ensuring your applications and data stay safe from common web threats.
