Back to DocsphpMyAdmin is a web interface to manage MySQL/MariaDB databases. This guide shows how to install it securely.
Installation on Ubuntu/Debian with Nginx
1. Install phpMyAdmin
sudo apt update
sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl -y
During installation:
2. Configure Nginx
sudo nano /etc/nginx/sites-available/phpmyadmin
server {
listen 80;
server_name phpmyadmin.yourdomain.com;
# or: server_name _; (any domain/IP)
root /usr/share/phpmyadmin;
index index.php index.html;
# Security: limit access by IP
# allow 1.2.3.4;
# deny all;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
# Adjust PHP version: php8.2-fpm, php8.3-fpm, etc.
}
location ~ /\.ht {
deny all;
}
}
sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
3. Enable PHP extension
sudo phpenmod mbstring
sudo systemctl restart php8.1-fpm # adjust version
- Web server: select apache2 if asked (even if you use Nginx: we'll configure it manually)
- Configure database for phpmyadmin with dbconfig-common? → Yes
- Enter the password for the phpmyadmin database user
Installation with Apache
sudo apt install phpmyadmin php-mbstring -y
# Select apache2 during installation
# Enable configuration
sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf
sudo a2enconf phpmyadmin
sudo systemctl reload apache2
Security configuration
phpMyAdmin exposed on the internet without protection is a frequent target for automated attacks. Apply at least one of the following measures.
Option 1: access only from your IP (recommended)
In Nginx, inside the location / block:
location / {
allow 1.2.3.4; # your IP
deny all;
try_files $uri $uri/ =404;
}
Option 2: HTTP basic authentication
# Create password file
sudo apt install apache2-utils -y
sudo htpasswd -c /etc/nginx/.htpasswd admin
# Add to Nginx
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
try_files $uri $uri/ =404;
}
Option 3: change the access URL
Don't use /phpmyadmin as the URL. Create a non-obvious alias:
# Instead of root /usr/share/phpmyadmin, use an alias
location /manage-db-a8x3k {
alias /usr/share/phpmyadmin;
...
}
Disable root access
For security, don't allow direct login of root in phpMyAdmin:
// /etc/phpmyadmin/conf.d/custom.php (create the file)
<?php
$cfg['Servers'][$i]['AllowRoot'] = false;
Create a dedicated MySQL user for phpMyAdmin
-- Connect to MySQL
mysql -u root -p
-- Create user with limited access
CREATE USER 'webadmin'@'localhost' IDENTIFIED BY 'secure_password';
-- Grant access to all databases (or only the ones you need)
GRANT ALL PRIVILEGES ON *.* TO 'webadmin'@'localhost' WITH GRANT OPTION;
-- Or only on a specific database:
-- GRANT ALL PRIVILEGES ON my_database.* TO 'webadmin'@'localhost';
FLUSH PRIVILEGES;
EXIT;
SSL with Let's Encrypt
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d phpmyadmin.yourdomain.com
See the SSL with Certbot guide for details.
Update phpMyAdmin
sudo apt update && sudo apt upgrade phpmyadmin -y
Common issues
Error 403 Forbidden: check the permissions of /usr/share/phpmyadmin folder and the Nginx configuration.
Missing PHP extension: sudo apt install php-mbstring php-xml php-zip -y && sudo systemctl restart php8.x-fpm
"No input file specified": verify that fastcgi_pass points to the correct PHP version (php -v to see the active version).
Related articles
DeluxHost, founded in 2023, offers high-quality hosting solutions for various digital needs. We provide shared hosting, VPS, and dedicated servers with advanced security and global data centers.
