XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories
The XAMPP built-in security only gives password protection to phpMyAdmin root user and to the /xampp folder. There are more folders and users that should be protected.
Change the password of the “pma” user in phpMyAdmin
By default, the MySQL database provided by XAMPP contains 2 users, “root” and “pma”. The “pma” user is used by the phpMyAdmin application. You should have already given a password to the “root” user, but the “pma” user still has a blank password. This should be changed to increase your security.
There are 2 steps involved in changing the password for “pma”. First, you change the password using phpMyAdmin, and then you need to edit the config.inc.php file to let phpMyAdmin know what the password is.
To change the password for “pma”:
- Make sure Apache and MySQL are running.
- On the same machine that Apache is running on, navigate to http://localhost/phpmyadmin
- If you are presented with a login screen, enter username “root” and the password you assigned to it.
- In the phpMyAdmin page, click on “Privileges”
- The next page will show 2 users, “pma” and “root”. On the right side of the row for “pma” is this symbol: , click on it to edit the properties for “pma”.
- Scroll down a little on the next page to see where you can change the password. I suggest using a password that is different than the phpMyAdmin password. Type in the old and new passwords and click on “Go” just underneath where you entered these passwords.
Now we need to let the phpMyAdmin config file know what the password is so that phpMyAdmin will continue to work.
Open the file c:\xampp\phpmyadmin\config.inc.php in your favorite text editor. Find this line:
$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user"
and place the password between the two ‘ on the right side of the “=”:
$cfg['Servers'][$i]['controlpass'] = 'password'; // access to the "mysql/user"
There is one other place where you need to enter in your pma password. This is in the file c:\xampp\mysql_stop.bat. By default, this file has this on the 3rd line:
mysql\\bin\\mysqladmin --user=pma --password= shutdown
You need to add your pma password to this file (shown in red below)
mysql\\bin\\mysqladmin --user=pma --password=password shutdown
Now you are finished setting the password for “pma”. It is a good idea to check if you have done this properly. Exit phpmyadmin (click this button: , which is at the top of the left sidebar), and try to sign in again first as “root” and then as “pma”. If you get an error when you try to sign on, which says this: “#1045 – Access denied for user ‘pma’@'localhost’ (using password: NO)”, it means that you didn’t put the correct password into the config.inc.php file.
Consequence to using XAMPP control panel if pma password is changed
After you change your pma password, it seems that you are no longer able to use the XAMPP control panel to stop MySQL. You can still use it to start MySQL, but stopping it via the control panel will fail. To stop MySQL, you’ll need to open a command window (Start->Run “cmd”), and execute c:\xampp\mysql_stop.bat. When you stop MySQL this way, the XAMPP control panel will reflect that it is stopped.
Password protect /webalizer, /security, and any other XAMPP folders that you decided to keep
If you want to keep the webalizer and security pages of XAMPP, I suggest that you password protect them. You may also want to password protect other XAMPP pages that you have chosen to keep. You can use the same username/password that you chose for the XAMPP pages, which is stored in the c:\xampp\security\xampp.users file.
To protect these folders with the same password that you have for the /xampp folder, you need to add some text just before the </Directory> directives in your Apache config files for each folder, as shown in red below:
Alias /web_folder_name "C:/xampp/foldername" <Directory "C:/xampp/foldername"> ... ... AuthType Basic AuthUserFile C:\\xampp\\security\\xampp.users require valid-user </Directory>
The file to edit to add this text for /security and /webalizer is c:\xampp\apache\conf\extra\httpd-xampp.conf. If you kept some of the other XAMPP folders and want to password protect them, I indicate which config files are used on this page.
In order for these changes in the config files to take effect, you need to stop Apache and restart it.
There are some folders that already have some password protection, and you should leave them alone (if you didn’t already delete them), unless you want them to have the same password as your /xampp folder. If you are running a webdav server, it may be a good idea to keep the separate password file for the webdav server.
There are also some default passwords that XAMPP has created for the /webdav, /restricted, and a /fonts directory (that is protected by /forbidden). Additionally, XAMPP has some default passwords for the FTP and mail servers. I’ll discuss how to change those passwords in a future article.
The next step for the tutorial is to remove default usernames and passwords.