phpMyAdmin is one of the most widely used web-based administration tools for managing MySQL and MariaDB databases. It provides a user-friendly graphical interface that makes it easy to perform common database tasks — such as creating databases, running SQL queries, managing users, and importing or exporting data — without needing to use the command line.
Originally released in 1998, phpMyAdmin quickly became the go-to choice for developers and system administrators because of its simplicity, open-source nature, and wide compatibility across operating systems and web servers. Whether you’re hosting a local development environment or managing production databases, phpMyAdmin offers a fast and accessible way to interact with MySQL directly through your browser.
However, because phpMyAdmin is a web application that interfaces directly with your database, it can also become a security risk if left exposed or misconfigured — making it essential to harden its installation before deploying it in any environment.
Setting up phpMyAdmin
Begin by downloading the latest version of phpMyAdmin from phpmyadmin.net. Once downloaded, unzip and extract the contents to your desired directory.
In the previous post, we configured the Default Website in IIS to be accessible only from localhost. This approach mirrors the way hosting providers such as cPanel handle phpMyAdmin access — restricting it to internal access through the hosting control panel for security. You can read more about that configuration in the previous post: IIS Hardening: Locking Down the Default Site to Localhost Only
Extract the downloaded files into the C:\inetpub\wwwroot directory on your IIS server, then rename the folder to phpmyadmin for a clean and consistent access path.
Navigate to https://localhost/phpmyadmin/ and login with the “dbadmin” user that we created in the MySQL setup How to Set Up MySQL Server on Windows Server for Production Environments
Since this is the default install you will see the following error messages.
The configuration file needs a valid key for cookie encryption
What it means:
phpMyAdmin uses an internal encryption key (called the blowfish secret) to secure login cookies and session data. Without it, phpMyAdmin temporarily generates one each time it starts — which weakens the session security.
Why it matters:
If a random key changes with every restart, previously issued cookies become invalid, and more importantly, your session data isn’t properly protected against tampering. Attackers could theoretically hijack or replay sessions if the cookie encryption isn’t consistent.
Fixing this issue
Open the phpMyAdmin folder you extracted into the wwwroot directory and locate the file named config.sample.inc.php. Rename this file to config.inc.php, then open it in a text editor.
Inside the file, find the following line:
$cfg['blowfish_secret'] = '';
Replace it with a securely generated 32-character string, for example:
$cfg['blowfish_secret'] = '9a8iFec3JiC5isDUwTcYfx4UqdU6bxGO';
This key is used to encrypt phpMyAdmin cookies and should always be unique to your installation.
The $cfg[‘TempDir’] (C:\inetpub\wwwroot\phpMyAdmin\tmp) is not accessible.
What it means:
phpMyAdmin stores temporary files (like cached templates and session data) in this directory. If it can’t write there, performance and stability suffer.
Why it matters:
A writable temp directory helps phpMyAdmin handle caching securely and efficiently. Without it:
Templates aren’t cached, slowing down the interface.
phpMyAdmin may revert to less secure fallback mechanisms for handling temporary data.
Fixing this issue
Here’s the PowerShell command sequence to create the phpMyAdmin temp directory and assign the correct permissions securely:
# Create the phpMyAdmin temp folder New-Item -ItemType Directory -Path "C:\inetpub\wwwroot\phpMyAdmin\tmp" -Force # Grant Modify rights to IIS_IUSRS and IUSR icacls "C:\inetpub\wwwroot\phpMyAdmin\tmp" /grant "IIS_IUSRS:(M)" /grant "IUSR:(M)" /T # Confirm permissions icacls "C:\inetpub\wwwroot\phpMyAdmin\tmp"
Explanation
- New-Item: Creates the folder if it doesn’t exist.
- icacls … /grant: Grants Modify (M) rights recursively (/T) to both IIS_IUSRS and IUSR.
- The final line lists the permissions so you can verify they were applied correctly.
This keeps caching functional for phpMyAdmin while restricting write access to only the IIS worker processes, following least-privilege best practices.
The phpMyAdmin configuration storage is not completely configured
What it means:
phpMyAdmin supports an internal database (phpmyadmin) that stores bookmarks, relation data, and user preferences. Without this, some advanced features (like query history and relations view) are disabled.
Why it matters:
- While not a direct security risk, configuring this database is a hardening step because:
- It centralizes phpMyAdmin metadata instead of storing it in flat files.
- It allows you to manage and audit phpMyAdmin data using standard MySQL permissions.
- It ensures controlled access rather than using default or insecure file-based storage.
Fixing this issue
Inside the phpMyAdmin folder, open the sql directory and locate the file named create_tables.sql. Open this file in a text editor, copy its contents, and paste them into the SQL tab within phpMyAdmin.
Click Run to execute the script — this will automatically create the required phpmyadmin database and its associated tables.
Open the config.inc.php file again and add the following line to the bottom of the file:
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
This line tells phpMyAdmin to use the phpmyadmin database you just created as its internal configuration storage. It allows phpMyAdmin to save and manage features such as bookmarked queries, table relations, and user interface preferences.
Without this setting, phpMyAdmin runs in a basic mode where these advanced features are unavailable, and some configuration warnings may continue to appear.
Verifying the Fixes
After applying all three fixes, restart IIS and log back into phpMyAdmin. Once the page reloads, the previous warnings should no longer appear, confirming that your configuration and security settings have been successfully applied
🧩 Summary
Setting up phpMyAdmin securely is just as important as installing MySQL itself. A default installation often leaves unnecessary exposure points, weak permissions, and incomplete configurations that can be exploited if the interface is ever made accessible from outside the server.
By applying these hardening steps — defining a unique encryption key, creating a secured temp directory, and enabling configuration storage — you’ve eliminated the common warnings and tightened phpMyAdmin’s overall security posture.
Because this setup is bound to localhost, phpMyAdmin can only be accessed directly from the IIS server itself. This design mimics how professional hosting platforms isolate administrative tools, ensuring your MySQL management interface remains protected from external access and potential attacks.