Protect phpMyAdmin On An ISPConfig 3 Server (Debian)

ISPConfig logo

With this small howto I explain how to protect your phpmyadmin installation on your Debian server with ISPConfig3 against hack attempts as much as possible. I assume that you already have an ISPConfig3 server running on Debian, which has been set up according to this howto and that phpmyadmin has been installed from the Debian repository into the directory /usr/share/phpmyadmin. With this default setup you can access phpMyAdmin via: http://www.anywebsiteonyourserver.tld/phpmyadmin, which we're going to change for security reasons.

We will protect our phpmyadmin installation by:

- .htpasswd file
- an alias for /phpmyadmin

I do not issue any guarantee that this will work for you!

Here we go:

Login into your ISPConfig3 server as root and execute:

cd /usr/share/phpmyadmin


htpasswd -c .htpasswd username

to create the .htpasswd file and add "username" to list of authorized users. The program will initially prompt you for a password and then ask you to verify it.

Now edit the file /etc/apache2/conf.d/phpmyadmin.conf and modify:

# phpMyAdmin default Apache configuration
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks DirectoryIndex index.php # Authorize for setup


# phpMyAdmin default Apache configuration
Alias /myalias /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks DirectoryIndex index.php #Make use of .htpasswd
AuthType Basic AuthName "Enter account information" AuthUserFile /usr/share/phpmyadmin/.htpasswd Require valid-user # Authorize for setup

Reload Apache2 by executing the command:

/etc/init.d/apache2 reload

Now log into ISPConfig3, and click on "SYSTEM" > "Interface Config".

In the PHPMyAdmin URL field On the "Sites" tab, add your alias for /phpmyadmin, which is in this example: /myalias

Finaly Click on "Save" and you're done.

To verify what we've done, within your webbrowser visit your phpMyAdmin installation at: http://www.anywebsiteonyourserver.tld/myalias or within ISPConfig3 itself, just click on the phpmyadmin icon after the database name.

Share this page:

8 Comment(s)

Add comment

Please register in our forum first to comment.



Quick and slick, gut gemacht Hans!


Do you have or know instructions for protectecting phpMyAdmin ISPConfig 3 Server with CentOS 5.4.


By: Bruno F

Reading a bit more documentation on apache you would find that you can use auth mysql directly

so you have only one database of user and login ... 

So most secure way is anyway to have a https serveur used to hide login & password.

Try to be imaginative with the alias technique, as bot try a lots of alias like myadmin, db, etc....




By: Geno

This works for Ubuntu 11.10 and should work for most other Linux flavors as well.

 Highly recommended tweak.

 Thank you for making this.

By: Anonymous
By: Chris

How yould you change it so the login to phpmyadmin would be a https site?

By: quaz22


On Debian 8 this tutorial not working.

My: /etc/apache2/conf-available/phpmyadmin.conf


# phpMyAdmin default Apache configurationAlias /phpmyadmin /usr/share/phpmyadmin<Directory /usr/share/phpmyadmin>    Options FollowSymLinks    DirectoryIndex index.php    <IfModule mod_php5.c>        <IfModule mod_mime.c>            AddType application/x-httpd-php .php        </IfModule>        <FilesMatch ".+\.php$">            SetHandler application/x-httpd-php        </FilesMatch>        php_flag magic_quotes_gpc Off        php_flag track_vars On        php_flag register_globals Off        php_admin_flag allow_url_fopen Off        php_value include_path .        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp        php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/    </IfModule></Directory># Authorize for setup<Directory /usr/share/phpmyadmin/setup>    <IfModule mod_authz_core.c>        <IfModule mod_authn_file.c>            AuthType Basic            AuthName "phpMyAdmin Setup"            AuthUserFile /etc/phpmyadmin/htpasswd.setup        </IfModule>        Require valid-user    </IfModule></Directory># Disallow web access to directories that don't need it<Directory /usr/share/phpmyadmin/libraries>    Require all denied</Directory><Directory /usr/share/phpmyadmin/setup/lib>    Require all denied</Directory>

By: Vagner

For me work very well! Thank you! 

But, I had to modify the link

From: /etc/apache2/conf.d/phpmyadmin.conf

To: /etc/apache2/conf-available/phpmyadmin.conf