Adminer File Flagged and Removed by Web Host Security Scanners (e.g., Imunify360)

[yasnaderi]

Hello everyone,

I'm posting this to bring up a common issue that I've encountered, which others trying to deploy Adminer on shared web hosting might also face. I recently tried to upload the official Adminer file to my shared server and found that the file was immediately flagged and removed by the host's security system.

The Issue

When attempting to upload the latest Adminer file, adminer-5.4.1-en.php (downloaded from the official GitHub releases), the file was automatically deleted shortly after upload.

My web host confirmed that their security system, Imunify360 (a common security suite in cPanel environments), identified the file as a high-risk or malicious PHP script and removed it via "real-time protection."

They explained that while Adminer is a legitimate tool, its standalone nature and full database access capabilities are often exploited by attackers, causing security scanners to flag it as potentially unsafe by default.

Host's Response & Workarounds

My host's recommendation was to use phpMyAdmin (available via cPanel) or run Adminer locally and connect remotely to the database, which avoids the server-side file restrictions.

Proposed Discussion

While these workarounds exist, they are not ideal for users who prefer the simplicity and efficiency of Adminer, or who need to quickly deploy it on a shared host.

I would like to discuss if there are any potential modifications, best practices, or methods that could be implemented to help Adminer evade being automatically flagged by common security scanners like Imunify360, while still maintaining its full functionality.

For example:

• Are there known configuration changes or file modifications that could reduce the "risk profile" as seen by these scanners?
• Should the Adminer documentation include a more prominent warning or a dedicated section about deployment challenges on shared hosting?
• Has the community found any reliable methods for successfully deploying Adminer on shared hosts that employ aggressive real-time security scanning?

Any insights or suggestions from the developers or the community would be greatly appreciated.

Thank you!

[Letme]

How is phpMyAdmin not flagged, but Adminer is? That is how you know their explanation is 💩 as phpMyAdmin has same capabilities. I think this is problem of Imunify360, which needs to tell what the problem really is, or what would they expect for Adminer to have to be accepted.

Would it help if Adminer would have https://openssf.org/projects/best-practices-badge/ ? I think it is on you, to get the requirements from Imunify360, what they expect Adminer to fix, otherwise they have no reason to flag it as high-risk. I have no problem deploying Adminer to various shared hosting providers, so maybe you can ask your hosting provider what they would expect Adminer to do, to get it whitelisted.