XAMPP: Remove Unused Folders or Deny Access to Them

June 26th, 2007

This article is part of a series of articles about making XAMPP more secure. See the overview page for all the security measures.

The XAMPP install includes many demos and miscellaneous items. Chances are that for your own development or limited hosting, you don’t need many of these folders and files. They can be safely removed while still allowing your web server to operate normally. To increase your security, it is a good idea to have the bare minimum that you need, this reduces the places where there may be a possible security breach.

If you don’t plan to use these folders, I recommend configuring Apache so that they can’t be accessed. For further security, I additionally recommend deleting these folders entirely.

You can see all the folders that XAMPP is allowing to be visited by searching for “<Directory>” or “Alias” in c:\xampp\apache\conf\httpd.conf and in all the .conf files in c:\xampp\apache\conf\extra”.

Here are the folders that I am referring to:

  • c:\xampp\cgi-bin
  • c:\xampp\security\htdocs
  • c:\xampp\webdav
  • c:\xampp\htdocs\contrib or c:\xampp\contrib
  • c:\xampp\htdocs\fonts
  • c:\xampp\htdocs\forbidden
  • c:\xampp\htdocs\restricted
  • c:\xampp\htdocs\xampp

I recommend keeping the phpMyAdmin and webalizer folders as they are useful. In a future article, I will show you how to add security to these pages so that you can safely keep them.

To deny access to the folders I listed, you need to edit the config file that gives access to that folder. There are 3 config files that give access to the listed folders.

The c:\xampp\webdav folder configuration is in c:\xampp\apache\conf\extra\httpd-dav.conf.

The c:\xampp\cgi-bin folder configuration is in c:\xampp\apache\conf\httpd.conf. If you are not using this folder, it is a very good idea to limit access to it. By default, there is a perl script in here (printenv.pl) that will display the values of your environment variables on a web page. This is great information for a hacker. If you want to leave this folder accessible, I suggest deleting printenv.pl and being careful about what you put in there.

All folder configurations other than c:\xampp\webdav and c:\xampp\cgi-bin are in c:\xampp\apache\conf\extra\httpd-xampp.conf.

Inside each of these config files are parts that look like this:

Alias /web_folder_name c:\\xampp\\...
<Directory c:\\xampp\\...>
    ...
    ...
</Directory>
    

For some folders, there is no “Alias” line.

There are 2 ways you can restrict the access.

The first way is to delete everything between the Alias (or <Directory> if there is no Alias) and </Directory>, removing all trace of this from your config file. This is a good thing to do if you are going to delete these folders and never plan on using them. Note that even if you delete these lines, folders under htdocs (such as c:\xampp\htdocs\xampp) are still accessible if you don’t delete them. If you don’t plan on deleting these folders, you should use the next method.

The second way is less destructive and works for folders under htdocs (even if you don’t delete them). It keeps these folders referenced in the config file, but allows you to deny access to everyone. This way, if you want access at some future point, you can re-enable it. To deny access this way, put this somewhere between <Directory …> and </Directory>:

Order deny, allow
Deny from all

Note that if there is similar “Order”, “Allow from” and “Deny from” already there, you need to get rid of that if you want to use this literally.

In addition, you can add “Allow from” after the “Deny from” to limit access to specific IP addresses. You can also limit access to specific users with passwords. Look at the Apache documentation on mod_access for more details.

For the “forbidden” folder, httpd-xampp.conf actually has a <Directory c:\xampp\htdocs\fonts>, and uses “forbidden” for authentification. I recommend getting rid of all these lines in the config file as well as the forbidden folder (you could also use “Deny from all” if you really want). Note that this folder is under htdocs, so if you just get rid of the lines in the config file and don’t delete the folder, the folder is still accessible. For more information, see http://robsnotebook.com/xampp-forbidden.

For the “restricted” folder, httpd-xampp.conf uses <Location> instead of <Directory>. Delete this as well as the surrounding <IfModule auth_remote_module> </IfModule>

Note that in the httpd-xampp.conf config file, there is a <Directory c:\xampp\contrib> line, but this directory doesn’t exist. Instead, there is a c:\xampp\htdocs\contrib directory. I recommend getting rid of these lines in the config file and deleting the c:\xampp\htdocs\contrib folder.

Next Step

Now that you are done with this step, you are ready to move on to cleaning the cgi-bin folder.

10 Comments

  1. Ivo Roperon 13 May 2008 at 7:17 pm

    You’ll also want to change entries in apache/conf/extra/httpd-ssl.conf to reflect your domain, server root, folder permissions and so forth.

  2. Ericon 20 May 2008 at 12:27 pm

    thanks roper

  3. aftabon 14 May 2009 at 5:19 am

    I can’t uninstall the xampp-win32-1.6.0. I couldn’t find anything in add/remove feature to remove it .

  4. Basilon 25 Sep 2009 at 8:41 am

    Thanks for this v useful help.

    One point that I would note is that there must not be a SPACE between the words > deny, allow

  5. Chazon 16 Apr 2010 at 9:31 am

    My apologies but I’m quite the novice with this stuff…
    I’m a bit confused on what to delete. I just put the “SSLRequireSSL” in some of the places you state to delete text. Is that right?

  6. Chazon 16 Apr 2010 at 9:34 am

    One more thing… I’m not allowing others access to my computer so is any of this required if I’m only using XAMPP to develop my website? Does XAMPP somehow make my computer vulnerable to attacks just by having it on my machine?

  7. samon 21 May 2010 at 8:33 pm

    It is good article but really need more in details as step by step instruction, such as Before and After change examples. Such as Allow and deny stuff.
    Order deny, allow
    Deny from all
    ————————–|
    I will change to
    Order deny, all
    Deny from NO ONE
    Well it still need more clarification.
    Thanks

  8. [...] My server has hacked XAMPP: Remove Unused Folders or Deny Access to Them __________________ Arcade | Account Support | Free Subscription | Paid Subscription | Ranks | [...]

  9. afzaron 04 Jan 2011 at 9:46 pm

    I forgot my username and password for localhost root user. Is there anyway I can retrieve it?

  10. johnon 07 Sep 2011 at 2:27 am

    Hi Sir Rob, how can you connect phpmyadmin to another computer by typing the ip_address/phpmyadmin in web browser.
    I tried to change httpd-xampp.conf in ” Allow from 127.0.0.1/8 to Allow from all ” but I can’t still access the phpmyadmin.
    Thanks in advance!

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.