Use XAMPP Security Script to Password Protect /xampp and phpMyAdmin root User

This article is part of a series of articles that I’m writing on how to make XAMPP more secure. See the overview page for all of the security steps.

The first step in securing XAMPP is to use its built in security page. Notice I said that this is just the first step, there are many more things to do to secure XAMPP, which are detailed on the overview page.

Start Apache and MySQL and go to http://localhost in your browser (on the same machine as your server). If this is your first time browsing the local site, you should now see a webpage with the XAMPP logo and a choice of languages. Click on your preferred language.

This brings you to an XAMPP control page with navigation links in the left sidebar. Click on “Security”. The page may take a moment to load, it is checking your security status. After it loads, you will see various states of your security status and how your server is currently insecure.

To fix the first 3 problems listed on this page (XAMPP pages publicly accessible, mySQL has no password, and phpMyAdmin is freely accessible), scroll down until you see this link: http://localhost/security/xamppsecurity.php. Click on that link. If you don’t have that link, click here to bring you to that page on your local server.

You’ll now see a page titled “Security console MySQL & XAMPP directory protection”. Do the following:

1. Enter a password (2 times) for the MySQL SuperUser (root)
2. Select “cookie” for “PhpMyAdmin authentification” (this is the default, and I prefer it over http authentification).
3. Do not check “Safe plain password in text file?”
4. Record this password in a safe place so you don’t forget it.
5. Click the button “Password changing”.

If done correctly, you should get this message “The root password was successfully changed. Please restart MYSQL for loading these changes!”. Go ahead and restart MySQL via the XAMPP control panel (stop it and then start it again).

Now, back on the XAMPP security page, scroll down to “XAMPP DIRECTORY PROTECTION (.htaccess)”. Do the following:

1. Enter a username.
2. Enter a password.
3. Leave unchecked “Safe plain password in text file? “
4. Record the username/password in a safe place so you don’t forget it.
5. Click the button “Make safe the XAMPP directory”

Check that it was successful by looking above the “XAMPP DIRECTORY PROTECTION (.htaccess)” for this message: “SUCCESS: The XAMPP directory is protected now! All personal data was safed in the following file: C:\xampp\security\xampp.users C:\xampp\htdocs\xampp\.htaccess”.

In the future, you can use this page again to change your MySql password, but I don’t recommend using it for your XAMPP password since it will erase any users that you may have added for XAMPP access. If you are the only user for the XAMPP pages, then it is ok to use this form to enter a new password.

You can relaunch the security page to see what XAMPP thinks of your security now. To do this, click on “Security” in the left sidebar. The top 3 items should indicate “Secure” now. If not, you have an issue.

Impacts of your new security and testing it

The security step that you just performed means you will need to supply a username and password when accessing /xampp and /phpmyadmin. Let’s test that this is the case.

To test that /xampp needs a password:

1. Close and reopen your browser (to erase memory of passwords)
2. Go to http://localhost/xampp, a window should pop up asking you for a password.
3. Log in with the username/password that you created for /xampp access.
4. If this brings you to your XAMPP control page, then this test is sucessful.

To test that /phpmyadmin needs a password:

1. Since this password protection is cookie based (unles you chose http authentification), you don’t need to close and reopen your browser.
2. Go to http://localhost/phpmyadmin, a web page should pop up asking you for a password.
3. Enter “root” as your username and give the password that you supplied to the XAMPP security page.
4. If this brings you to the phpMyAdmin page, then this test is successful.
5. You may also want to try signing out of phpMyAdmin and signing back in. To sign out, click the button that looks like this: , which is at the top of the left sidebar.

There is a post on the Apache friends forum that advises to change the root user’s username to something other than “root”, to increase your security. See that post for instructions on how to do that if you want to.

How this security was added

For /xampp, the security webpage script created the file c:\xampp\htdocs\xampp\.htaccess, and gave it the following content:

AuthName “xampp user”
AuthType Basic
AuthUserFile “C:\xampp\security\xampp.users”
require valid-user

This adds Basic Authentification to the /xampp folder, and states that the usernames and passwords are stored in the c:\xampp\security\xampp.users file.

The security script also created a new c:\xampp\security\xampp.users file containing the username and password that you entered. If you examine this file in a text editor, you will see that the password is encrypted. For security purposes, it is important to never make the c:\xampp\security folder accessible via the webserver, or a malicious person could have access to this password file.

For securing phpMyAdmin, the security script did the following

1. Called the php function mysqlrootupdate() in c:\xampp\security\htdocs\securefunctions.php. This function communicates with the MySQL database to change the root password.
2. Modified your config.inc.php file to change this line:
   

   $cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (config, http or cookie based)

   to this:

   $cfg['Servers'][$i]['auth_type']     = 'cookie';      // Authentication method (config, http or cookie based)

   in order to enable the cookie based web page authentification to your /phpmyadmin page.

More Security

Now, we have the first level of security for XAMPP. There are still some holes. Additional folders and users need password protection. Also, the passwords you just created will be sent in cleartext and anyone with a network sniffer can see them. You will need to enable encryption for the transmission of these passwords. See the overview page for instructions on how to do these things.

Next Step

The next step in this tutorial is to remove unused folders.