How to Install and Secure phpMyAdmin on localhost for Windows
http://localhost/phpmyadmin on Windows 8, 7, Vista, XP (with Apache, PHP, and MySQL)
1. Download phpMyAdmin
Download the latest version of phpMyAdmin 4 from the phpMyAdmin Downloads page.
phpmyadmin downloads come in two flavors: "-english" that has one language pack, and "-all-languages" which can switch the user-interface between multiple languages. Also you should probably get the zipped version, as on Windows it's easier to work with ZIP files.
2. Place phpMyAdmin in localhost's DocumentRoot
Extract and place phpMyAdmin into localhost's DocumentRoot folder. Then rename the folder "phpMyAdmin-4.x.x-language" as "phpmyadmin".
Standard localhost DocumentRoot paths:
- WampDeveloper Pro: C:\WampDeveloper\Websites\localhost\webroot
- Apache 2.4 (standalone Apache): C:\Program Files\Apache Software Foundation\Apache2.4\htdocs\
- XAMPP: C:\xampp\htdocs
- WampServer: C:\wamp\www
If using WampDeveloper Pro, you now should have phpMyAdmin placed as: C:\WampDeveloper\Websites\localhost\webroot\phpmyadmin
phpMyAdmin 4.1, and newer, requires PHP 5.3+ and MySQL 5.5+.
Make sure PHP execution is already enabled for the directory phpMyAdmin is in. It should be under all WAMPs by default, but if you are using a directory outside DocumentRoot, or have a barebones/custom Apache + PHP setup, it might not be. If you are using PHP-FCGI (mod_fcgid) rather than PHP via Apache's php5_module, additional mod_fcgid configurations will be needed. Most WAMPs will have already taken care of this for you.
The following extensions should already be uncommented in PHP's php.ini configuration file.
MySQL's my.ini configuration file should already have MySQL bound-to/listening-on IP 127.0.0.1 or 0.0.0.0:
bind-address = 127.0.0.1
4. Configure phpMyAdmin
Make a copy of file phpmyadmin\config.sample.inc.php as phpmyadmin\config.inc.php and update it with the following:
* This configuration improves on the default, and is based on WampDeveloper Pro's phpMyAdmin config.inc.php.
Set the Login type to use HTTP Basic authentication (cookie is default):
$cfg['Servers'][$i]['auth_type'] = 'http';
Configure phpMyAdmin to access MySQL directly on IP 127.0.0.1. *There is no point in resolving "localhost", and this will also remove the chance of localhost resolving to IPv6 loopback address "::1", which MySQL might not be bound to (causing all kinds of issues):
$cfg['Servers'][$i]['host'] = '127.0.0.1';
Allow users to login that have no password set (ex: root):
$cfg['Servers'][$i]['AllowNoPassword'] = true;
Define phpMyAdmin's Control user (internal use):
$cfg['Servers'][$i]['controlhost'] = 'localhost'; $cfg['Servers'][$i]['controluser'] = 'pma'; $cfg['Servers'][$i]['controlpass'] = 'pmapass';
Use all of the advanced phpMyAdmin features:
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; $cfg['Servers'][$i]['relation'] = 'pma__relation'; $cfg['Servers'][$i]['table_info'] = 'pma__table_info'; $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords'; $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages'; $cfg['Servers'][$i]['column_info'] = 'pma__column_info'; $cfg['Servers'][$i]['history'] = 'pma__history'; $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs'; $cfg['Servers'][$i]['tracking'] = 'pma__tracking'; $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords'; $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig'; $cfg['Servers'][$i]['recent'] = 'pma__recent'; $cfg['Servers'][$i]['users'] = 'pma__users'; $cfg['Servers'][$i]['usergroups'] = 'pma__usergroups'; $cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
Define the max execution time in seconds for importing and exporting of dump (SQL) files (300 is default):
$cfg['ExecTimeLimit'] = 300;
Define the Temporary directory (if you are not using WampDeveloper Pro, define another location):
$cfg['TempDir'] = 'C:/WampDeveloper/Temp';
Don't check for new versions (via JS), nor notify user to update each time newer version is available:
$cfg['VersionCheck'] = false;
Set the Authentication Message for HTTP logins:
$cfg['Servers'][$i]['auth_http_realm'] = 'phpMyAdmin Login';
Define the Logout URL (URL you are taken to after logout):
$cfg['Servers'][$i]['LogoutURL'] = 'http://' . $_SERVER['SERVER_NAME'];
Don't group databases in phpMyAdmin's left menu on underscore in name:
$cfg['NavigationTreeEnableGrouping'] = false;
5. Secure phpMyAdmin
We can secure phpmyadmin by switching from open access to white-listing user access, and...
- allowing all local users access
- restricting root to local system access
- restricting root to local network access
phpMyAdmin has no user management and will not cross-check the MySQL account's host with the incoming connection's ip/host. But we can set the username + origin IP access permissions by using phpmyadmin's internal access rules:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow'; $cfg['Servers'][$i]['AllowDeny']['rules'] = array( // deny everyone by default 'deny % from all', // allow all users from the local system 'allow % from localhost', 'allow % from 127.0.0.1', 'allow % from ::1', // allow all users from the server IP (commented out) // 'allow % from SERVER_ADDRESS', // allow user root from local system 'allow root from localhost', 'allow root from 127.0.0.1', 'allow root from ::1', // allow user root from local network 'allow root from 10.0.0.0/8', 'allow root from 172.16.0.0/12', 'allow root from 192.168.0.0/16', 'allow root from fe80::/10', // IPv6 Link-local Addresses 'allow root from fc00::/7', // IPv6 Unique Local Addresses // add more usernames and their IP (or IP ranges) here - );
6. Create phpMyAdmin's Control user and Database
Start MySQL. Log into the MySQL shell as user root (from the command-line):
mysql -u root -p
* If user root has no password set, leave the "-p" switch out.
Create the phpMyAdmin database by the provided SQL file:
Create the Control (internal) phpMyAdmin user:
CREATE USER 'pma'@'localhost' IDENTIFIED BY 'pmapass'; GRANT SELECT, INSERT, DELETE, UPDATE ON `phpmyadmin`.* TO 'pma'@localhost;
Exit the MySQL shell:
7. Restrict phpMyAdmin Access via .htaccess
* This will override the purpose of the access rule list defined in config.inc.php (in the above 'Secure phpMyAdmin' section). Use this only if you know /phpmyadmin will never be accessed from outside the local system.
Secure the phpmyadmin directory to local system access by creating and placing an .htaccess file in phpMyAdmin's directory, with the following access restrictions:
order deny,allow deny from all allow from 127.0.0.1 allow from ::1
8. Login http://localhost/phpmyadmin
Open URL http://localhost/phpmyadmin and log in with any user that:
- A) Is a MySQL user (exists in MySQL) and has its Host: field set as either "127.0.0.1", "::1", or "%" (means any host).
- B) Has proper access permissions set in config.inc.php and/or is not restricted by .htaccess.
* You'll only be able to access the databases that the user has had permissions granted on (and only with the specified privileges).
* To logout completely from phpMyAdmin, ALL Tabs in the Browser must be closed (not just the one).