Make XAMPP Secure
This is an overview page on making XAMPP more secure. There are/will be links to detailed instructions for each of the security steps. Since my spare time is limited, it may be some time between articles, so stay tuned.
The purpose of this guide is to help you make your XAMPP installation more secure. XAMPP itself already provides some ways to increase security, but even after doing what they include, I have identified some ways to make it more secure. With this guide, I detail steps to add this extra security.
Note that I am only saying that I am increasing security, not making it completely secure. If you try to make XAMPP accessible to the public internet with these security steps, you do so at your own risk. I make no guarantees that I have plugged all security holes.
This instructions here are written for a beginner XAMPP user.
This guide is primarily targeted for Windows machines, but many of the principles can be applied to other OSes such as Linux or MAC OS X.
XAMPP states on its site that when you first install this software, the default configuration is not very secure. However, there are ways for you to modify this default configuration to give increased security.
The security measures that will be covered in this guide are:
- Use XAMPP Security page to password protect /xampp and phpMyAdmin root user
- Remove unused folders and their entries in config files
- Remove default scripts from cgi-bin directory
- Create “pma” Password Not Covered by the Security Script and Password Protect Other Folders
- Remove default user/passwords included with XAMPP for the FTP server, WebDAV server and web accessible folders
- Encrypt the transmission of passwords
- Setup Apache and MySQL to run under separate user accounts and limit their access to your filesystem.
- Control access to the WebDAV server and FTP server.
- Limit or remove access to /server-info and /server-status
- Disable search engines from listing your site in search results.
- Disable directory listings.
- Remove Apache version info that is given at bottom of error messages
- Remove Apache version info that is given in headers of http:// requests that your browser doesn’t show you
- Further references for even more security.
After much trial and error, I have been successful in applying the above security measures to an XAMPP server on Windows XP. I have taken notes and in my spare time will give step by step guides to accomplish all of these things. My spare time is limited, so it may be a while before I publish all of these articles.
Now we can get started securing XAMPP, so let’s move on to using the XAMPP security script.