Make XAMPP Secure

July 6th, 2007

This is an overview page on making XAMPP more secure. There are/will be links to detailed instructions for each of the security steps. Since my spare time is limited, it may be some time between articles, so stay tuned.

The purpose of this guide is to help you make your XAMPP installation more secure. XAMPP itself already provides some ways to increase security, but even after doing what they include, I have identified some ways to make it more secure. With this guide, I detail steps to add this extra security.

Note that I am only saying that I am increasing security, not making it completely secure. If you try to make XAMPP accessible to the public internet with these security steps, you do so at your own risk. I make no guarantees that I have plugged all security holes.

This instructions here are written for a beginner XAMPP user.

This guide is primarily targeted for Windows machines, but many of the principles can be applied to other OSes such as Linux or MAC OS X.

Security Summary

XAMPP states on its site that when you first install this software, the default configuration is not very secure. However, there are ways for you to modify this default configuration to give increased security.

The security measures that will be covered in this guide are:

After much trial and error, I have been successful in applying the above security measures to an XAMPP server on Windows XP. I have taken notes and in my spare time will give step by step guides to accomplish all of these things. My spare time is limited, so it may be a while before I publish all of these articles.

Next Step

Now we can get started securing XAMPP, so let’s move on to using the XAMPP security script.

27 Comments

  1. mike leeon 16 Jul 2007 at 12:19 pm

    Good Article, suggestion, and linkage error.

    http://www.apachefriends.org/en/xampp.htmlsite

    What u are saying is what PHP is all about. Building upon other experience and sharing.
    Love your article due to xampp missing this.
    Imagine xamp have install and so many questions from newbie to install. Now, with your article, u support xamp. U also learn, improve and share xamp security knowledge.

    Some suggestion: max length password, user?
    If length reasonable, mention to combine words with number. (Security 101)

    Removing folder (unnecessary)is not only security issue but good housekeeping – save diskspace that u might need later. I know u are saying keep simple when we do not time to know if coding is malicious.

  2. Robon 16 Jul 2007 at 10:14 pm

    Thanks Mike for your feedback and pointing me to an error in that link. It is now fixed.

  3. mike leeon 19 Jul 2007 at 12:04 am

    Too bad I cannot edit. so adding additonal comment. Secured password can also accept som special characters. Write your password in 3 secured places. If paranoid, places where your computer is not located.

    Enter comment to test linkage problem. IF u do not have error, change enviroment for zero comment and that is a better test. Testing 101, remember all details of enviromentt to recreate. Tx

  4. Liamon 19 Jul 2007 at 8:42 am

    We have a site running at the moment that we cant really stop XAMPP for, would any of these steps require stopping XAMPP?

    Im most interested in the security script one, will this need me to stop it?

    Cheers

  5. Robon 19 Jul 2007 at 1:12 pm

    Some of the steps do require stopping and restarting XAMPP, but others don’t. XAMPP will only be offline momentarily while it stops and starts again.

    For the security script, you don’t need to restart Apache, but you do need to restart MySQL after you enter in a root password.

    For blocking access to folders in the Apache config files, you do need to restart Apache if you use the method I described. However, if you make the edits in the Apache config to .htaccess files instead of the Apache config files, you can get away without restarting.

    For encrypting passwords, if you want to change the SSL key that came with XAMPP, you must restart. Otherwise, if you change .htaccess files instead of config files, you can do it without restarting.

    Some of the future steps that I document might require to restart Apache. I’ll make sure to clearly indicate this when I write those articles.

  6. CHon 23 Aug 2007 at 1:22 am

    Thanks for the tips, it was very helpful when doing a fresh install. Looking forward to future articles on the topic.

  7. Piotron 29 Aug 2007 at 3:22 pm

    Great check list. The ssl section saved me headaches
    Thx heaps !

  8. Tompon 21 Jan 2008 at 7:51 am

    Is the security script located somewhere else on the MacOSX XAMPP? I am trying to secure XAMPP but every location i have tried to run does not exist…

    my security screen /Applications/xampp/xamppfiles/mampp security

    but i cant seem to run the ‘mampp’ file located here

  9. [...] http://robsnotebook.com/xampp-security-hardening [...]

  10. tiptopon 27 Feb 2008 at 11:12 pm

    Fantastic article.
    This helped me a lot.
    Thanks Rob!

  11. kennyon 08 Aug 2008 at 1:25 am

    Hi Rob, good job. I know you’re busy. Can you keep working on the article or recommend other website/info?

    thanks again,

  12. XAMPP Security « Mmdmurphy’s Weblogon 24 Feb 2009 at 8:57 pm

    [...] XAMPP Security By mmdmurphy http://robsnotebook.com/xampp-security-hardening [...]

  13. Make XAMPP Secure « Huy’s Blogon 25 Apr 2009 at 8:22 pm

    [...] Link : http://robsnotebook.com/xampp-security-hardening [...]

  14. abdimunaon 27 May 2009 at 8:22 am

    Thanx,for great healp man,
    now i’m playing with ma xampp in ma ma

  15. abdimunaon 27 May 2009 at 8:24 am

    Thanx,for great healp man,
    now i’m playing with ma xampp in ma mac os x, box

  16. buingthaion 08 Aug 2009 at 4:49 am

    Thank you for your warning to security problems in my website. I saw your text file that you get on my destop and i want to thank you very much about your warning. i’ll fix it immediately.

  17. Rene Sigmaon 10 Sep 2009 at 8:53 am

    Thanks for your warning, I left XAMPP open to the public and I forget, too much work at the power plant… Thanks.

  18. benon 11 Dec 2009 at 12:52 pm

    Any notation of what version of XAMPP your working with?
    Im finding that with 1.7.2a(mac osx) that the directory tree in general is very different then what your listing – Im a noob however and this is all new territory for me.

  19. Windows, XAMPP, and CYGWIN, | jiddon 13 Feb 2010 at 3:08 am

    [...] and installed, and everything went smooth. Then that same friend gave me a great article regarding XAMPP security. I went through the pointers, and locked things down, and still my hopes were even higher. I even [...]

  20. Mr. Fooon 04 Mar 2010 at 6:20 am

    XAMPP absichern…

    Wie man den XAMPP absichert kann man in diesem Artikel nachlesen….

  21. Heatheron 29 Apr 2010 at 8:44 am

    I did everything covered in your guide, and while I understand the reasons for doing so, I really had no idea what I was doing with the exception of one or two bits! However, it all went smoothly and nothing’s broken! Yay!

  22. [...] installation is not secure.  You can plug some of the security holes by following the instructions here.  We are using XAMPP for convenience and because a more secure solution is not currently [...]

  23. [...] link http://robsnotebook.com/xampp-security-hardening will help you make your XAMPP  local server more secure. Share and [...]

  24. [...] details about installing either packages -because the web is full of it- but don’t forget to harden the security for XAMPP and [...]

  25. Danoon 02 Feb 2011 at 7:46 pm

    Thanks for taking your time to put this together to share with other xampp users!

  26. jonson 07 Mar 2011 at 12:35 pm

    I was struggling to get solution but now i found it!
    Thanks Rob.

  27. [...] network, or a small set of machines. If you install a package such as then look into how to “hardened” [...]

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.