How to Install and Secure phpMyAdmin on Ubuntu 22.04

Choose a different version or distribution

Introduction

Before we begin talking about how to install phpMyAdmin on Ubuntu 22.04, let's briefly understand – What is phpMyAdmin?

phpMyAdmin is a user-friendly web-based application used for managing MySQL databases. With its intuitive interface, it offers various functionalities like creating databases, managing tables, executing SQL queries, and handling user privileges.

This platform-independent tool ensures database security through authentication and SSL/TLS support. Its extensibility allows users to customize and enhance functionality with plugins. phpMyAdmin is a valuable tool for efficiently managing databases, accessible through any web browser.

In this tutorial, you will install and secure phpMyAdmin so that you can safely use it to manage your databases on an Ubuntu 22.04 system. We will also address a few FAQs on how to install phpMyAdmin on Ubuntu 22.04.

Advantages of phpMyAdmin

User-Friendly Interface: phpMyAdmin provides a simple and intuitive interface for managing MySQL databases, making it easy for users to navigate and perform database operations.
Broad Functionality: It offers a wide range of features, including database creation, table management, data manipulation, SQL execution, user management, and more.
Platform Independence: phpMyAdmin is written in PHP and can be accessed through a web browser, making it compatible with various operating systems and accessible from anywhere.
Security Features: It includes robust security measures like authentication, user privileges management, SSL/TLS support, and the ability to generate strong passwords, ensuring the protection of your database.
Extensibility: phpMyAdmin supports plugins and extensions, allowing users to enhance its functionality and customize it according to their specific needs.

Prerequisites to Set Up and Secure phpMyAdmin on Ubuntu 22.04

To complete this guide, you will need the following:

Server running Ubuntu 22.04.
A non-root user with administrative rights.
A firewall set up with ufw should be present on this server.

Using software like phpMyAdmin raises a number of crucial security issues, since it:

Connects to your MySQL installation directly.
Uses MySQL login credentials to handle authentication.
Executes any SQL query and returns the results.

For these reasons, as well as the fact that phpMyAdmin is a widely-used PHP application that is regularly the target of attacks, you should never execute it on remote computers using a plain HTTP connection.

Step 1 - Installing phpMyAdmin

phpMyAdmin may be installed from the default Ubuntu repository using APT.

If you haven't done so recently, update your server's package index as your non-root sudo user:

sudo apt update

Installing the phpmyadmin package comes next. To enable specific functions and boost efficiency, the official documentation also suggests that you install a few PHP extensions on your server in addition to this package.

Several of these modules will have been installed along with the php package if you followed the prerequisite LAMP stack tutorial. However, it’s advised that you also install these packages:

php-mbstring: a module for managing strings that aren't ASCII and converting strings to various encodings.
php-zip: with the help of this plugin, you can upload .zip files to phpMyAdmin.
php-gd: support for the GD Graphics Library is enabled.
php-json: provides JSON serialization capabilities for PHP.
php-curl: enables PHP to communicate with multiple servers via various protocols.

You may install these packages on your machine by using the following command. Please be aware, however, that in order to configure phpMyAdmin properly, you must make some decisions during the installation process. Soon, we'll go over these possibilities:

sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl

Here are the settings you should choose when prompted in order to configure your installation correctly:

For the server selection, choose apache2

⚠️

Warning: The word "apache2" is highlighted, but not selected when the prompt appears. If you don't press SPACE to choose Apache, the installer won't transfer the required files when installing. For Apache to be selected, press SPACE, TAB, and then ENTER.

When prompted to use dbconfig-common to configure the database, choose Yes.
You will then be prompted to select and confirm a password for the phpMyAdmin MySQL application.

Note: If you followed Step 2 of the required LAMP stack guide to install MySQL, you might have chosen to enable the Validate Password plugin. When you try to set a password for the phpmyadmin account after enabling this component, an error is now generated:

To fix this, choose the abort option to terminate the installation. Open your MySQL prompt after that:

sudo mysql

Alternately, run the following command and then enter your password when prompted if password authentication for the root MySQL user was enabled:

mysql -u root -p

Execute the following command from the prompt to disable the Validate Password component. It should be noted that doing this will just prevent the component from loading on your MySQL server, not actually uninstall it:

UNINSTALL COMPONENT "file://component_validate_password";

After that, you can leave the MySQL client:

exit

Then attempt installing the phpmyadmin package once more, and everything should go smoothly:

sudo apt install phpmyadmin

Once phpMyAdmin is set up, you can use sudo mysql or mysql -u root -p to reopen the MySQL prompt and then enter the following line to enable the Validate Password component once more:

INSTALL COMPONENT "file://component_validate_password";

The phpMyAdmin Apache configuration file is added after installation to the /etc/apache2/conf-enabled/ directory, where it is immediately read. The only item left to complete in this phase of the tutorial is to explicitly enable the mbstring PHP extension. You may do this by typing: to finish setting Apache and PHP to interact with phpMyAdmin:

sudo phpenmod mbstring

After that, you must restart Apache for your changes to take effect:

sudo systemctl restart apache2

phpMyAdmin has been set up to work with Apache and has been installed. However, you must make sure that your MySQL users have the privileges necessary for interacting with the programme before you can log in and start working with your MySQL databases.

Step 2 - Modifying User Authentication and Privileges

A database user named phpmyadmin was automatically created when you installed phpMyAdmin on your server. This user manages some of the program's internal operations. It is recommended that you use the administrator password you created during installation to log in as either your root MySQL account or as a user specifically created for managing databases through the phpMyAdmin interface.

Setting Up Password Access for the MySQL Root Account

The root MySQL user is configured in Ubuntu systems running MySQL 5.7 (and later versions) to authenticate via the auth_socket plugin by default rather than with a password. This provides improved security and usability in many circumstances, but it can also complicate things when an external programme, such as phpMyAdmin, needs to access the user.

If you haven't already, change the authentication mechanism of phpMyAdmin from auth_socket to one that uses a password. This will allow you to log in as your root MySQL user. Open the MySQL prompt in your terminal to complete this:

sudo mysql

Next, run the following command to determine the type of authentication each of your MySQL user accounts uses:

SELECT user,authentication_string,plugin,host FROM mysql.user;

Output
+------------------+------------------------------------------------------------------------+-----------------------+-----------+
| user             | authentication_string                                                  | plugin                | host      |
+------------------+------------------------------------------------------------------------+-----------------------+-----------+
| debian-sys-maint | $A$005$I:jOry?]Sy<|qhQRj3fBRQ43i4UJxrpm.IaT6lOHkgveJjmeIjJrRe6         | caching_sha2_password | localhost |
| mysql.infoschema | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | caching_sha2_password | localhost |
| mysql.session    | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | caching_sha2_password | localhost |
| mysql.sys        | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | caching_sha2_password | localhost |
| phpmyadmin       | $A$005$?#{Z?`gN!c2az)}V-INCWXSuVdqB9zWteH1IkZfTe/rOLgVhSzEMM9R3G6K9    | caching_sha2_password | localhost |
| root             |                                                                        | auth_socket           | localhost |
+------------------+------------------------------------------------------------------------+-----------------------+-----------+
6 rows in set (0.00 sec)

This sample output shows that the auth_socket plugin is used by the root user to authenticate. Run the following ALTER USER command to set the root account to require a password for authentication:

ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

Note: The root MySQL user is configured to authenticate using the caching_sha2_password plugin by the previous ALTER USER statement. The preferred authentication plugin for MySQL is caching_sha2_password since it offers more secure password encryption than the more standard but still widely used mysql_native_password, according to the official MySQL documentation.

However, caching_sha2_password is not consistently compatible with all versions of PHP. Although PHP claims that this problem has been resolved as of PHP 7.4, you might want to set root to authenticate with mysql_native_password if you subsequently discover a problem when attempting to access phpMyAdmin:

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

Check each user's authentication method once again to ensure that root is no longer authenticating via the auth_socket plugin:

SELECT user,authentication_string,plugin,host FROM mysql.user;

Output
+------------------+------------------------------------------------------------------------+-----------------------+-----------+
| user             | authentication_string                                                  | plugin                | host      |
+------------------+------------------------------------------------------------------------+-----------------------+-----------+
| debian-sys-maint | $A$005$I:jOry?]Sy<|qhQRj3fBRQ43i4UJxrpm.IaT6lOHkgveJjmeIjJrRe6         | caching_sha2_password | localhost |
| mysql.infoschema | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | caching_sha2_password | localhost |
| mysql.session    | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | caching_sha2_password | localhost |
| mysql.sys        | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | caching_sha2_password | localhost |
| phpmyadmin       | $A$005$?#{Z?`gN!c2az)}V-INCWXSuVdqB9zWteH1IkZfTe/rOLgVhSzEMM9R3G6K9    | caching_sha2_password | localhost |
| root             | $A$005$3y�y|Z?'_[} ZyVHuESVwNmjKWOH/ndETwS.Kty0IH7UfiXjOfVvyWroy4a.   | caching_sha2_password | localhost |
+------------------+------------------------------------------------------------------------+-----------------------+-----------+
6 rows in set (0.00 sec)

This output demonstrates that a password will be used by the root user to authenticate. With the password you've chosen for the phpMyAdmin interface here, you can now access it as the root user.

Configuring Password Access for a Dedicated MySQL User

As an alternative, some people might discover that using a dedicated user to connect to phpMyAdmin better matches their workflow. Open the MySQL shell once more to complete this:

sudo mysql

You must run the following command and enter your password when prompted in order to connect if you have enabled password authentication for your root user as mentioned in the previous section:

mysql -u root -p

Create a new user from there and give it a strong password:

CREATE USER 'sammy'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password';

Note: Again, depending on the version of PHP you've installed, you might want to change your new user's settings so that mysql_native_password rather than caching_sha2_password is used for authentication:

ALTER USER 'sammy'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

After that, give your new user the necessary permissions. For instance, the following command would provide the user access to all database tables as well as the ability to add, modify, and remove user privileges:

GRANT ALL PRIVILEGES ON *.* TO 'sammy'@'localhost' WITH GRANT OPTION;

After that, close the MySQL shell:

exit

By going to your server's domain name or public IP address and then typing in /phpmyadmin, you can now access the web interface:

https://your_domain_or_IP/phpmyadmin

Enter the interface as root or with the newly created username and password that you just set up.

You will be directed to the phpMyAdmin user interface after logging in:

Now that you can connect to and communicate with phpMyAdmin, all that is needed to do is strengthen your system's security to keep attackers out.

Step 3 - Securing Your phpMyAdmin Instance

phpMyAdmin is a common target for attackers due to its widespread use, therefore you should take extra precautions to avoid unauthorized access. Utilizing Apache's integrated authentication and authorization capabilities included in the .htaccess file is one approach to accomplish this. Another is to place a gateway in front of the entire application.

To do this, you must first enable the use of .htaccess file overrides by modifying the Apache configuration file for your phpMyAdmin installation.

The phpmyadmin.conf file has been added to your Apache configuration directory; modify it using your chosen text editor. We'll use nano in this case:

sudo nano /etc/apache2/conf-available/phpmyadmin.conf

Include the AllowOverride All directive in the <Directory /usr/share/phpmyadmin> section of the configuration file:

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All
    . . .

Save the file after adding this line, then quit it. If you edited the file using nano, enter the changes by pressing CTRL + X, Y, and then ENTER.

Restart Apache to apply the modifications you made:

sudo systemctl restart apache2

You must now construct a .htaccess file for your application because you have authorized its use in order to put security into practise.

The file needs to be generated inside the application directory for this to work. By typing the following, you can make the required file and open it in your text editor with root privileges:

sudo nano /usr/share/phpmyadmin/.htaccess

Enter the following details in this file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

Each of these lines means as follows:

AuthType Basic: This line describes the kind of authentication you're using. This kind will use a password file to implement password authentication.
AuthName: This configures the authentication dialogue box's message. To prevent unauthorised people from learning what is being protected, you should keep this general.
AuthUserFile: The password file's location, which will be used for authentication, is set by this. Outside of the directories being provided should be this. We will soon create this file.
Require valid-user: This states that this resource should only be accessible to people who have provided valid credentials. This is what truly prevents entry by unauthorised users.

Save your work and then exit the file.

Your password file was saved at /etc/phpmyadmin/.htpasswd. With the htpasswd tool, you can now make this file and give it an initial user:

sudo htpasswd -c /etc/phpmyadmin/.htpasswd username

A password will need to be chosen and verified for the user you are creating. The produced file then contains the hashed password that you supplied.

You must input an additional user without the -c flag, as in the following example:

sudo htpasswd /etc/phpmyadmin/.htpasswd additionaluser

After that, restart Apache to implement .htaccess authentication:

sudo systemctl restart apache2

You will now be asked for the additional account name and password that you just set up when you access your phpMyAdmin subdirectory:

https://domain_name_or_IP/phpmyadmin

You will be sent to the standard phpMyAdmin authentication screen to enter your MySQL credentials after completing the Apache authentication. You add another layer of security to your database by adding a set of non-MySQL credentials. This is preferable because phpMyAdmin has already been exposed to security risks.

FAQs to Set Up and Secure phpMyAdmin on Ubuntu 22.04

How can I access phpMyAdmin after installation?

Access phpMyAdmin by opening a web browser and entering http://localhost/phpmyadmin in the address bar. Log in with your MySQL username and password.

How do I secure phpMyAdmin on Ubuntu 22.04?

Secure phpMyAdmin by running the command sudo dpkg-reconfigure phpmyadmin in the terminal. Choose Yes when prompted to use the dbconfig-common, and set a strong password for the phpMyAdmin database.

Can I change the default URL path for phpMyAdmin?

Yes, you can change the URL path for phpMyAdmin by editing the Apache configuration file. Use the Alias directive to specify a custom URL path.

How can I enable HTTPS (SSL/TLS) for phpMyAdmin?

Enable HTTPS for phpMyAdmin by configuring an SSL certificate on your Apache server. Once configured, access phpMyAdmin using https://localhost/phpmyadmin.

What are some recommended security practices for phpMyAdmin?

Some security practices include using strong passwords, restricting access to specific IP addresses, regularly updating phpMyAdmin, and disabling the "root" login for MySQL.

Can I limit access to phpMyAdmin from specific IP addresses?

Yes, you can limit access to phpMyAdmin by editing the Apache configuration file and using the Allow from directive to specify the IP addresses that are allowed to access it.

What should I do if I forget the phpMyAdmin password?

Reset the phpMyAdmin password by logging into the MySQL server as the root user and executing the appropriate SQL command to reset the password for the phpMyAdmin user.

Conclusion

We hope this detailed tutorial helped you understand how to install and setup phpMyAdmin on Ubuntu 22.04.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.