Comments on: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories

By: Kyle

Kyle — Fri, 16 Nov 2007 19:58:37 +0000

One other thing… if you kept the xampp pages under htdocs like I did, your status page will show that mysql is deactivated after you change the pma password. You can edit xampp/htdocs/xampp/mysql.php to correct this.
Don’t know why that’s important, but I get all warm and fuzzy looking at status pages.

By: Kyle

Kyle — Fri, 16 Nov 2007 19:38:12 +0000

Seems like you missed a step on the folder security. In order to use the same user and password for the XAMPP folder, you also need to copy the .htaccess file from that folder to the new folder that you want to secure (such as webalizer.)
Thanks for the great guide on securing xampp. This is just what I was looking for!

By: jared

jared — Mon, 17 Sep 2007 18:47:05 +0000

I had stumbled upon the lack of a pw for pma user by myself and did some searching on making things secure and found this site. I was also concerned about the security of folders and about who can access certain features. So, I did the changes to the .conf file as shown but I do not get asked for a user or pw when trying to access the phpadmin or security or webalizer folders from a browser. I do however get an “access denied” page. Is there something I am missing?

I kept a back-up of the httpd-xampp.conf file in case something went wrong.

By: Rob

Rob — Sat, 25 Aug 2007 01:35:43 +0000

Jeff: Glad you are finding it useful. I’ve been having some trouble getting some free time lately to finish the articles, but it will happen. As for your question about an online service for checking for security holes - I have never looked into one, but it sounds like a good idea. Sorry that I can’t give you any direction on that one. If you do find something out about that, please let me know.

By: Jeff

Jeff — Thu, 23 Aug 2007 13:02:07 +0000

This is great! Keep it coming. I am migrating from Apache 1.3 to Apache 2.2.

My concern with XAMPP is security. Still debating on using it or installing Apache, PHP, etc. individually.

With that said, I have installed XAMPP and have followed all of your instructions. Just waiting for the remaining articles.

Is there a good, safe on-line service that can check your system for holes and recommend fixes? I have used ‘Shields Up!’ and the like, but is there something more specific to detecting WAMP security flaws?

By: Rob

Rob — Wed, 01 Aug 2007 02:14:14 +0000

I discovered that after adding the pma password that MySQL can’t be shut down using the XAMPP control panel anymore. The c:\xampp\mysql_stop.bat command must be used to stop MySQL instead. Your pma password also needs to be added to mysql_stop.bat. I added this information to the article.

By: Rob

Rob — Wed, 01 Aug 2007 01:56:58 +0000

Josh: I’m a little confused when you say that you added a password for “root” through the phpmyadmin interface. My guide only has you adding a password for pma through phpMyAdmin, and uses the builtin XAMPP security script for adding the password for root. In fact, if you are using “cookie” based authentification, you don’t need to add the password for ‘root’ to config.inc.php. Only the password for ‘pma’ needs to go in there, in the place that I indicated. What I have written on this page works for me (mysql is shown as activated). If the control panel is not showing mysql as activated, how can you be sure it is? One good way to get clues as to what is going on is to start mysql in a command window using c:\xampp\mysql_start.bat. If it doesn’t start correctly, you’ll get some error messages containing the clues.

By: Rob

Rob — Wed, 01 Aug 2007 01:49:12 +0000

jls: Thanks for your comment. On my setup, I had no problem with having the “” around the line with xampp.users. I tried removing the “”, and also had no problem. Therefore, I changed this page to remove those “”, thinking that if you had a problem, others may also have one.

By: jls

jls — Sat, 28 Jul 2007 20:04:24 +0000

your tutorial is very interesting.
I’ve applied your recommandation. I’m using xampp 1.6.2. In the file ‘c:\xampp\apache\conf\extra\httpd-xampp.conf’ your directive lead to syntax error when launching apache. After a while I’ve found that the line indicating the xampp.users should not contain “.

AuthType Basic
AuthUserFile C:\xampp\security\xampp.users
require valid-user

By: josh

josh — Sat, 28 Jul 2007 16:39:15 +0000

Nice guide. I have done what you indicated for the mySQL users - namely, to add a password to user “pma” and to add a password for “root” through the phpmyadmin interface. Then I went into the config.inc.php file and put the password into the ‘controlpass’ field and also the ‘password’ field for the MySQL user “root”. I can get in and out of phpmyadmin fine, and the mysql service can start, but if I look on the xampp status page, it shows the mysql database as deactivated. What gives?