How to Install and Secure phpMyAdmin on localhost for Windows

http://localhost/phpmyadmin on Windows 8, 7, Vista, XP (with Apache, PHP, and MySQL)

phpmyadmin on localhost

1. Download phpMyAdmin

Download the latest version of phpMyAdmin 4 from the phpMyAdmin Downloads page.

phpmyadmin downloads come in two flavors: "-english" that has one language pack, and "-all-languages" which can switch the user-interface between multiple languages. Also you should probably get the zipped version, as on Windows it's easier to work with ZIP files.

2. Place phpMyAdmin in localhost's DocumentRoot

Extract and place phpMyAdmin into localhost's DocumentRoot folder. Then rename the folder "phpMyAdmin-4.x.x-language" as "phpmyadmin".

Standard localhost DocumentRoot paths:

If using WampDeveloper Pro, you now should have phpMyAdmin placed as: C:\WampDeveloper\Websites\localhost\webroot\phpmyadmin

3. Requirements

phpMyAdmin 4.1, and newer, requires PHP 5.3+ and MySQL 5.5+.

Make sure PHP execution is already enabled for the directory phpMyAdmin is in. It should be under all WAMPs by default, but if you are using a directory outside DocumentRoot, or have a barebones/custom Apache + PHP setup, it might not be. If you are using PHP-FCGI (mod_fcgid) rather than PHP via Apache's php5_module, additional mod_fcgid configurations will be needed. Most WAMPs will have already taken care of this for you.

The following extensions should already be uncommented in PHP's php.ini configuration file.

MySQL's my.ini configuration file should already have MySQL bound-to/listening-on IP or

bind-address =

4. Configure phpMyAdmin

Make a copy of file phpmyadmin\ as phpmyadmin\ and update it with the following:

* This configuration improves on the default, and is based on WampDeveloper Pro's phpMyAdmin

Set the Login type to use HTTP Basic authentication (cookie is default):

$cfg['Servers'][$i]['auth_type'] = 'http';

Configure phpMyAdmin to access MySQL directly on IP *There is no point in resolving "localhost", and this will also remove the chance of localhost resolving to IPv6 loopback address "::1", which MySQL might not be bound to (causing all kinds of issues):

$cfg['Servers'][$i]['host'] = '';

Allow users to login that have no password set (ex: root):

$cfg['Servers'][$i]['AllowNoPassword'] = true;

Define phpMyAdmin's Control user (internal use):

$cfg['Servers'][$i]['controlhost'] = 'localhost';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'pmapass';

Use all of the advanced phpMyAdmin features:

$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';

Define the max execution time in seconds for importing and exporting of dump (SQL) files (300 is default):

$cfg['ExecTimeLimit'] = 300;

Define the Temporary directory (if you are not using WampDeveloper Pro, define another location):

$cfg['TempDir'] = 'C:/WampDeveloper/Temp';

Don't check for new versions (via JS), nor notify user to update each time newer version is available:

$cfg['VersionCheck'] = false;

Set the Authentication Message for HTTP logins:

$cfg['Servers'][$i]['auth_http_realm'] = 'phpMyAdmin Login';

Define the Logout URL (URL you are taken to after logout):

$cfg['Servers'][$i]['LogoutURL'] = 'http://' . $_SERVER['SERVER_NAME'];

Don't group databases in phpMyAdmin's left menu on underscore in name:

$cfg['NavigationTreeEnableGrouping'] = false;

5. Secure phpMyAdmin

We can secure phpmyadmin by switching from open access to white-listing user access, and...

phpMyAdmin has no user management and will not cross-check the MySQL account's host with the incoming connection's ip/host. But we can set the username + origin IP access permissions by using phpmyadmin's internal access rules:

$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(

	// deny everyone by default
	'deny % from all',

	// allow all users from the local system
	'allow % from localhost',
	'allow % from',
	'allow % from ::1',

	// allow all users from the server IP (commented out)
	// 'allow % from SERVER_ADDRESS',

	// allow user root from local system
	'allow root from localhost',
	'allow root from',
	'allow root from ::1',
	// allow user root from local network
	'allow root from',
	'allow root from',
	'allow root from',
	'allow root from fe80::/10', // IPv6 Link-local Addresses
	'allow root from fc00::/7', // IPv6 Unique Local Addresses

	// add more usernames and their IP (or IP ranges) here -	

6. Create phpMyAdmin's Control user and Database

Start MySQL. Log into the MySQL shell as user root (from the command-line):

mysql -u root -p

* If user root has no password set, leave the "-p" switch out.

Create the phpMyAdmin database by the provided SQL file:

SOURCE C:\WampDeveloper\Websites\localhost\webroot\phpmyadmin\examples\create_tables.sql

Create the Control (internal) phpMyAdmin user:

CREATE USER 'pma'@'localhost' IDENTIFIED BY 'pmapass';
GRANT SELECT, INSERT, DELETE, UPDATE ON `phpmyadmin`.* TO 'pma'@localhost;

Exit the MySQL shell:


7. Restrict phpMyAdmin Access via .htaccess

* This will override the purpose of the access rule list defined in (in the above 'Secure phpMyAdmin' section). Use this only if you know /phpmyadmin will never be accessed from outside the local system.

Secure the phpmyadmin directory to local system access by creating and placing an .htaccess file in phpMyAdmin's directory, with the following access restrictions:

order deny,allow
deny from all
allow from
allow from ::1

8. Login http://localhost/phpmyadmin

Open URL http://localhost/phpmyadmin and log in with any user that:

* You'll only be able to access the databases that the user has had permissions granted on (and only with the specified privileges).

* To logout completely from phpMyAdmin, ALL Tabs in the Browser must be closed (not just the one).