Make XAMPP Secure
This is an overview page on making XAMPP more secure. There are/will be links to detailed instructions for each of the security steps. Since my spare time is limited, it may be some time between articles, so stay tuned.
The purpose of this guide is to help you make your XAMPP installation more secure. XAMPP itself already provides some ways to increase security, but even after doing what they include, I have identified some ways to make it more secure. With this guide, I detail steps to add this extra security.
Note that I am only saying that I am increasing security, not making it completely secure. If you try to make XAMPP accessible to the public internet with these security steps, you do so at your own risk. I make no guarantees that I have plugged all security holes.
This instructions here are written for a beginner XAMPP user.
This guide is primarily targeted for Windows machines, but many of the principles can be applied to other OSes such as Linux or MAC OS X.
Security Summary
XAMPP states on its site that when you first install this software, the default configuration is not very secure. However, there are ways for you to modify this default configuration to give increased security.
The security measures that will be covered in this guide are:
- Use XAMPP Security page to password protect /xampp and phpMyAdmin root user
- Remove unused folders and their entries in config files
- Remove default scripts from cgi-bin directory
- Create “pma” Password Not Covered by the Security Script and Password Protect Other Folders
- Remove default user/passwords included with XAMPP for the FTP server, WebDAV server and web accessible folders
- Encrypt the transmission of passwords
- Setup Apache and MySQL to run under separate user accounts and limit their access to your filesystem.
- Control access to the WebDAV server and FTP server.
- Limit or remove access to /server-info and /server-status
- Disable search engines from listing your site in search results.
- Disable directory listings.
- Remove Apache version info that is given at bottom of error messages
- Remove Apache version info that is given in headers of http:// requests that your browser doesn’t show you
- Further references for even more security.
After much trial and error, I have been successful in applying the above security measures to an XAMPP server on Windows XP. I have taken notes and in my spare time will give step by step guides to accomplish all of these things. My spare time is limited, so it may be a while before I publish all of these articles.
Next Step
Now we can get started securing XAMPP, so let’s move on to using the XAMPP security script.
Good Article, suggestion, and linkage error.
http://www.apachefriends.org/en/xampp.htmlsite
What u are saying is what PHP is all about. Building upon other experience and sharing.
Love your article due to xampp missing this.
Imagine xamp have install and so many questions from newbie to install. Now, with your article, u support xamp. U also learn, improve and share xamp security knowledge.
Some suggestion: max length password, user?
If length reasonable, mention to combine words with number. (Security 101)
Removing folder (unnecessary)is not only security issue but good housekeeping - save diskspace that u might need later. I know u are saying keep simple when we do not time to know if coding is malicious.
Thanks Mike for your feedback and pointing me to an error in that link. It is now fixed.
Too bad I cannot edit. so adding additonal comment. Secured password can also accept som special characters. Write your password in 3 secured places. If paranoid, places where your computer is not located.
Enter comment to test linkage problem. IF u do not have error, change enviroment for zero comment and that is a better test. Testing 101, remember all details of enviromentt to recreate. Tx
We have a site running at the moment that we cant really stop XAMPP for, would any of these steps require stopping XAMPP?
Im most interested in the security script one, will this need me to stop it?
Cheers
Some of the steps do require stopping and restarting XAMPP, but others don’t. XAMPP will only be offline momentarily while it stops and starts again.
For the security script, you don’t need to restart Apache, but you do need to restart MySQL after you enter in a root password.
For blocking access to folders in the Apache config files, you do need to restart Apache if you use the method I described. However, if you make the edits in the Apache config to .htaccess files instead of the Apache config files, you can get away without restarting.
For encrypting passwords, if you want to change the SSL key that came with XAMPP, you must restart. Otherwise, if you change .htaccess files instead of config files, you can do it without restarting.
Some of the future steps that I document might require to restart Apache. I’ll make sure to clearly indicate this when I write those articles.
Thanks for the tips, it was very helpful when doing a fresh install. Looking forward to future articles on the topic.
Great check list. The ssl section saved me headaches
Thx heaps !
Is the security script located somewhere else on the MacOSX XAMPP? I am trying to secure XAMPP but every location i have tried to run does not exist…
my security screen /Applications/xampp/xamppfiles/mampp security
but i cant seem to run the ‘mampp’ file located here
[…] http://robsnotebook.com/xampp-security-hardening […]
Fantastic article.
This helped me a lot.
Thanks Rob!
Hi Rob, good job. I know you’re busy. Can you keep working on the article or recommend other website/info?
thanks again,