Use XAMPP Security Script to Password Protect /xampp and phpMyAdmin root User

Rob July 6th, 2007

This article is part of a series of articles that I’m writing on how to make XAMPP more secure. See the overview page for all of the security steps.

The first step in securing XAMPP is to use its built in security page. Notice I said that this is just the first step, there are many more things to do to secure XAMPP, which are detailed on the overview page.

Start Apache and MySQL and go to http://localhost in your browser (on the same machine as your server). If this is your first time browsing the local site, you should now see a webpage with the XAMPP logo and a choice of languages. Click on your preferred language.

This brings you to an XAMPP control page with navigation links in the left sidebar. Click on “Security”. The page may take a moment to load, it is checking your security status. After it loads, you will see various states of your security status and how your server is currently insecure.

To fix the first 3 problems listed on this page (XAMPP pages publicly accessible, mySQL has no password, and phpMyAdmin is freely accessible), scroll down until you see this link: http://localhost/security/xamppsecurity.php. Click on that link. If you don’t have that link, click here to bring you to that page on your local server.

You’ll now see a page titled “Security console MySQL & XAMPP directory protection”. Do the following:

Enter a password (2 times) for the MySQL SuperUser (root)
Select “cookie” for “PhpMyAdmin authentification” (this is the default, and I prefer it over http authentification).
Do not check “Safe plain password in text file?”
Record this password in a safe place so you don’t forget it.
Click the button “Password changing”.

If done correctly, you should get this message “The root password was successfully changed. Please restart MYSQL for loading these changes!”. Go ahead and restart MySQL via the XAMPP control panel (stop it and then start it again).

Now, back on the XAMPP security page, scroll down to “XAMPP DIRECTORY PROTECTION (.htaccess)”. Do the following:

Enter a username.
Enter a password.
Leave unchecked “Safe plain password in text file? “
Record the username/password in a safe place so you don’t forget it.
Click the button “Make safe the XAMPP directory”

Check that it was successful by looking above the “XAMPP DIRECTORY PROTECTION (.htaccess)” for this message: “SUCCESS: The XAMPP directory is protected now! All personal data was safed in the following file: C:\xampp\security\xampp.users C:\xampp\htdocs\xampp\.htaccess”.

In the future, you can use this page again to change your MySql password, but I don’t recommend using it for your XAMPP password since it will erase any users that you may have added for XAMPP access. If you are the only user for the XAMPP pages, then it is ok to use this form to enter a new password.

You can relaunch the security page to see what XAMPP thinks of your security now. To do this, click on “Security” in the left sidebar. The top 3 items should indicate “Secure” now. If not, you have an issue.

Impacts of your new security and testing it

The security step that you just performed means you will need to supply a username and password when accessing /xampp and /phpmyadmin. Let’s test that this is the case.

To test that /xampp needs a password:

Close and reopen your browser (to erase memory of passwords)
Go to http://localhost/xampp, a window should pop up asking you for a password.
Log in with the username/password that you created for /xampp access.
If this brings you to your XAMPP control page, then this test is sucessful.

To test that /phpmyadmin needs a password:

Since this password protection is cookie based (unles you chose http authentification), you don’t need to close and reopen your browser.
Go to http://localhost/phpmyadmin, a web page should pop up asking you for a password.
Enter “root” as your username and give the password that you supplied to the XAMPP security page.
If this brings you to the phpMyAdmin page, then this test is successful.
You may also want to try signing out of phpMyAdmin and signing back in. To sign out, click the button that looks like this: , which is at the top of the left sidebar.

There is a post on the Apache friends forum that advises to change the root user’s username to something other than “root”, to increase your security. See that post for instructions on how to do that if you want to.

How this security was added

For /xampp, the security webpage script created the file c:\xampp\htdocs\xampp\.htaccess, and gave it the following content:

AuthName “xampp user”
AuthType Basic
AuthUserFile “C:\xampp\security\xampp.users”
require valid-user

This adds Basic Authentification to the /xampp folder, and states that the usernames and passwords are stored in the c:\xampp\security\xampp.users file.

The security script also created a new c:\xampp\security\xampp.users file containing the username and password that you entered. If you examine this file in a text editor, you will see that the password is encrypted. For security purposes, it is important to never make the c:\xampp\security folder accessible via the webserver, or a malicious person could have access to this password file.

For securing phpMyAdmin, the security script did the following

Called the php function mysqlrootupdate() in c:\xampp\security\htdocs\securefunctions.php. This function communicates with the MySQL database to change the root password.

Modified your config.inc.php file to change this line:

$cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (config, http or cookie based)

to this:

$cfg['Servers'][$i]['auth_type']     = 'cookie';      // Authentication method (config, http or cookie based)

in order to enable the cookie based web page authentification to your /phpmyadmin page.

More Security

Now, we have the first level of security for XAMPP. There are still some holes. Additional folders and users need password protection. Also, the passwords you just created will be sent in cleartext and anyone with a network sniffer can see them. You will need to enable encryption for the transmission of these passwords. See the overview page for instructions on how to do these things.

Next Step

The next step in this tutorial is to remove unused folders.

Previous <- Security Overview

Next -> Remove unused folders

24 Comments »

Dan’s Tips » Blog Archive » XAMPP Securityon 25 Feb 2008 at 8:27 pm

[…] http://robsnotebook.com/xampp-builtin-security […]
chkon 23 Mar 2008 at 6:28 am

Say, for which version of XAMPP does this work? I cannot find sth. like /security/xamppsecurity.php in version XAMPP 1.6.6 for linux.
Regards
Robon 27 Mar 2008 at 7:08 am

This article was written using XAMPP version 1.6.2 on Windows. I never tried it on Linux.
charlyon 21 Jun 2008 at 1:17 pm

worked like a charm in my WAMP server! (intranet.. hosting in a Windows XP hehe) right what i needed, and the top search in google thanks Rob!!
YEon 09 Jul 2008 at 7:46 pm

Hi,

This was the absolute BEST help guide on the php password on the ENTIRE web! Thanks a zillion!

YE is Here!
Phamon 18 Jul 2008 at 2:33 pm

Hi

I have to say, this is the best tutorial ever, both for novice or proper developers.
Its straight forward and step by step.

Thanks Very much Rob.
yehon 06 Aug 2008 at 12:04 pm

when i click localhost it wont load what am i doing wrong
Robon 07 Aug 2008 at 9:12 am

Yeh: Perhaps you have not started Apache? Try launching the XAMPP control panel and starting Apache.
Meerajon 27 Sep 2008 at 3:34 am

I cant log into my localhost after i run the tutorial. I recieve this messege : Database Error: Unable to connect to the database:Could not connect to MySQL. What went wrong?
faginon 07 Nov 2008 at 12:43 pm

Hi, I had set my user and password for my phpmyadmin…and have forgotten what they were…how do I retrieve them? Thanks. I’m locked out.
donon 22 Nov 2008 at 3:44 am

Thank you for this Great Tutorial!
Samon 12 Dec 2008 at 4:44 pm

Does anyone know how to remove this??? I installed XAMPP, made it secure this way, and now that I’ve completely remove XAMPP and installed MAMP, I still get a popup asking for xampp user Authentication when I browse to localhost. On a Mac with Leopard.
Cheryl McCannon 03 Feb 2009 at 10:51 am

Great tutorial. So good that I have locked myself out. I put in http://localhost/administrator/login.php and can’t get the following error:

Database Error: Unable to connect to the database:Could not connect to MySQL

Did I miss something here?
Cheryl McCannon 03 Feb 2009 at 11:21 am

I found that when I put my password for the mysql database in the configuration file in htdocs that allowed me to get into http://localhost/administrator/ the same as always.

Cheryl
Joseon 09 Feb 2009 at 5:12 pm

Hello, its a great tutorial for nebies like me, but i have a major problem.
Whenever i click the security link i xampp control panel, i get the following msg:
Warning: include(lang/pt_br.php) [function.include]: failed to open stream: No such file or directory in F:\xampp\security\htdocs\index.php on line 13

Warning: include() [function.include]: Failed opening ‘lang/pt_br.php’ for inclusion (include_path=’.;F:\xampp\php\pear\’) in F:\xampp\security\htdocs\index.php on line 13
Is it possible to give some help? I´m using version 1.7 runing on windows.
Thank you
Joseon 10 Feb 2009 at 7:22 pm

Hi all,
problem solved, just renamed pt lang to pt_br. Now following
your tutorials. Many thanks for them,
regards.
burston 27 Feb 2009 at 11:43 am

Hi Rob,
first of all, you have a really nice guide here, keep up the good work!

I would like to add some more details on this first step. Folder protection through the built in security page still leaves a small security hole. Indeed, anyone that has access to the PHYSICAL host can access the security page without username/password. This is because the “” directive in httpd.conf contains “AllowOverride None” (which disables .htaccess files usage in any directory) while the “” directive in httpd-xampp.conf does not contain an “AllowOverride All” (or similar) directive (which enables .htaccess files usage in that specific directory). This is only a localhost access problem because network access to the security page is disabled thanks to the “Deny from all Allow from localhost” directives within “”.

I also found that changing the “PhpMyAdmin authentification” (from http to cookie) after having set it once (to http) and without changing the password does not work (the config.inc.php remains unmodified). However, I did not investigate this problem further.
burston 27 Feb 2009 at 11:48 am

aaarghh, there was a problem with some missing characters, sorry, here is the full version

Hi Rob,
first of all, you have a really nice guide here, keep up the good work!

I would like to add some more details on this first step. Folder protection through the built in security page still leaves a small security hole. Indeed, anyone that has access to the PHYSICAL host can access the security page without username/password. This is because the “Directory “C:/xampp/htdocs”" directive in httpd.conf contains “AllowOverride None” (which disables .htaccess files usage in any directory) while the “Directory “C:/xampp/security/htdocs”" directive in httpd-xampp.conf does not contain an “AllowOverride All” (or similar) directive (which enables .htaccess files usage in that specific directory). This is only a localhost access problem because network access to the security page is disabled thanks to the “Deny from all Allow from localhost” directives within “Directory “C:/xampp/security/htdocs”".

I also found that changing the “PhpMyAdmin authentification” (from http to cookie) after having set it once (to http) and without changing the password does not work (the config.inc.php remains unmodified). However, I did not investigate this problem further.
burston 27 Feb 2009 at 11:53 am

Wrong cut and paste….. There should be “Directory /” where I wrote “Directory “C:/xampp/htdocs”"
Chrison 28 Feb 2009 at 7:48 am

Hi Rob, thanks for the guide. I had to do somethings slightly different because I’m on mac osx but its seems to have worked. On the xampp security page all are showing the green Secure image. One problem though. PhpMyAdmin now gets this: #1045 - Access denied for user ‘root’@'localhost’ (using password: NO) . How do I go about setting the new password for this. Thanks for a good tutorial.
Chrison 28 Feb 2009 at 8:03 am

I was a bit quick off the mark with the above. I have now sorted it out. Simply edited the phpmyadmin config.inc.php file to have the new mysql password. ie. $cfg[’Servers’][$i][’password’] = ‘xxxxxx99999′; Hope this helps anyone else who got similar problems. Cheers.
Muthuon 12 Mar 2009 at 9:51 am

Hi,
I tried to do what is said above.
The phpmyadmin works fine .But my page is not working.When i try to open http://localhost/xampp/ it gives an error message “Database Error: Unable to connect to the database:Could not connect to MySQL”.
Can any one of you please help.
thanks
Quimon 23 Mar 2009 at 11:47 am

thank you for this tutorial..it work for me. before i thought changing the password is in privileges under phpmyadmin..and it gives me error in accessing my phpmyadmin..then I have to reinstall the xampp again..It did a great job…thank you very much
kbataon 24 Apr 2009 at 11:26 pm

I ran the security scripts in the terminal and added passwords. My problem now is that I get asked for a user name and password. I tried root as the user name but I can’t get back into PHPMyAdmin or xampp. Any idea what user name to use?