Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Adminer exposure

Author: Government Digital Service

Adminer exposure

What this means

Adminer is a lightweight database management tool which, when exposed to the public without adequate security measures, can lead to significant vulnerabilities.

Attackers can use it to fetch passwords for popular apps, such as Magento and WordPress, to gain control of a site’s database.

Why this is a problem

An exposed Adminer instance can act as a direct gateway for attackers to execute malicious database queries, compromise sensitive data, and gain further control over the application or infrastructure.

The risks associated with Adminer exposure include:

  • unauthorised access – if Adminer is not properly secured, anyone with access to its interface can attempt to log into the database using brute force attacks or stolen credentials
  • data breaches – attackers can view, modify, or delete sensitive data stored in the database
  • privilege escalation – if Adminer allows database superuser access, attackers could escalate privileges and execute administrative commands (for example, dropping tables or creating backdoors)
  • exploitation of weak authentication – if weak credentials or misconfigurations are present, the risk of exploitation significantly increases

How to check if the problem is there

Administrators should determine if Adminer is vulnerable in their environment by:

  • checking the version of Adminer – making sure the version of Adminer is fully up to date
  • inspect logs for suspicious activity – review access logs for unauthorised login attempts, unusual traffic patterns, or successful connections from unknown IP addresses
  • conduct a vulnerability scan – use automated tools to identify vulnerabilities related to Adminer exposure

How to fix this

If you no longer need to perform database administration via Adminer, you can remove the file which will prevent any possibility of vulnerabilities occurring.

If you are not able to remove Adminer, make sure that you implement the following controls to prevent unauthorised access by:

  • keeping Adminer up to date
  • using .htaccess, or equivalent server configurations, to password-protect the Adminer interface
  • configuring firewall rules to allow connections only from trusted IP addresses (IP whitelisting)
  • removing Adminer, if the service is not required

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now