XAMPP: Remove Unused Folders or Deny Access to Them
The XAMPP install includes many demos and miscellaneous items. Chances are that for your own development or limited hosting, you don’t need many of these folders and files. They can be safely removed while still allowing your web server to operate normally. To increase your security, it is a good idea to have the bare minimum that you need, this reduces the places where there may be a possible security breach.
If you don’t plan to use these folders, I recommend configuring Apache so that they can’t be accessed. For further security, I additionally recommend deleting these folders entirely.
You can see all the folders that XAMPP is allowing to be visited by searching for “<Directory>” or “Alias” in c:\xampp\apache\conf\httpd.conf and in all the .conf files in c:\xampp\apache\conf\extra”.
Here are the folders that I am referring to:
- c:\xampp\htdocs\contrib or c:\xampp\contrib
I recommend keeping the phpMyAdmin and webalizer folders as they are useful. In a future article, I will show you how to add security to these pages so that you can safely keep them.
To deny access to the folders I listed, you need to edit the config file that gives access to that folder. There are 3 config files that give access to the listed folders.
The c:\xampp\webdav folder configuration is in c:\xampp\apache\conf\extra\httpd-dav.conf.
The c:\xampp\cgi-bin folder configuration is in c:\xampp\apache\conf\httpd.conf. If you are not using this folder, it is a very good idea to limit access to it. By default, there is a perl script in here (printenv.pl) that will display the values of your environment variables on a web page. This is great information for a hacker. If you want to leave this folder accessible, I suggest deleting printenv.pl and being careful about what you put in there.
All folder configurations other than c:\xampp\webdav and c:\xampp\cgi-bin are in c:\xampp\apache\conf\extra\httpd-xampp.conf.
Inside each of these config files are parts that look like this:
Alias /web_folder_name c:\\xampp\\... <Directory c:\\xampp\\...> ... ... </Directory>
For some folders, there is no “Alias” line.
There are 2 ways you can restrict the access.
The first way is to delete everything between the Alias (or <Directory> if there is no Alias) and </Directory>, removing all trace of this from your config file. This is a good thing to do if you are going to delete these folders and never plan on using them. Note that even if you delete these lines, folders under htdocs (such as c:\xampp\htdocs\xampp) are still accessible if you don’t delete them. If you don’t plan on deleting these folders, you should use the next method.
The second way is less destructive and works for folders under htdocs (even if you don’t delete them). It keeps these folders referenced in the config file, but allows you to deny access to everyone. This way, if you want access at some future point, you can re-enable it. To deny access this way, put this somewhere between <Directory …> and </Directory>:
Order deny, allow Deny from all
Note that if there is similar “Order”, “Allow from” and “Deny from” already there, you need to get rid of that if you want to use this literally.
In addition, you can add “Allow from” after the “Deny from” to limit access to specific IP addresses. You can also limit access to specific users with passwords. Look at the Apache documentation on mod_access for more details.
For the “forbidden” folder, httpd-xampp.conf actually has a <Directory c:\xampp\htdocs\fonts>, and uses “forbidden” for authentification. I recommend getting rid of all these lines in the config file as well as the forbidden folder (you could also use “Deny from all” if you really want). Note that this folder is under htdocs, so if you just get rid of the lines in the config file and don’t delete the folder, the folder is still accessible. For more information, see http://robsnotebook.com/xampp-forbidden.
For the “restricted” folder, httpd-xampp.conf uses <Location> instead of <Directory>. Delete this as well as the surrounding <IfModule auth_remote_module> </IfModule>
Note that in the httpd-xampp.conf config file, there is a <Directory c:\xampp\contrib> line, but this directory doesn’t exist. Instead, there is a c:\xampp\htdocs\contrib directory. I recommend getting rid of these lines in the config file and deleting the c:\xampp\htdocs\contrib folder.
Now that you are done with this step, you are ready to move on to cleaning the cgi-bin folder.