XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories
This article is part of a series of articles about making XAMPP more secure. See the overview page for all the security measures.
The XAMPP built-in security only gives password protection to phpMyAdmin root user and to the /xampp folder. There are more folders and users that should be protected.
Change the password of the “pma” user in phpMyAdmin
By default, the MySQL database provided by XAMPP contains 2 users, “root” and “pma”. The “pma” user is used by the phpMyAdmin application. You should have already given a password to the “root” user, but the “pma” user still has a blank password. This should be changed to increase your security.
There are 2 steps involved in changing the password for “pma”. First, you change the password using phpMyAdmin, and then you need to edit the config.inc.php file to let phpMyAdmin know what the password is.
To change the password for “pma”:
- Make sure Apache and MySQL are running.
- On the same machine that Apache is running on, navigate to http://localhost/phpmyadmin
- If you are presented with a login screen, enter username “root” and the password you assigned to it.
- In the phpMyAdmin page, click on “Privileges”
- The next page will show 2 users, “pma” and “root”. On the right side of the row for “pma” is this symbol: , click on it to edit the properties for “pma”.
- Scroll down a little on the next page to see where you can change the password. I suggest using a password that is different than the phpMyAdmin password. Type in the old and new passwords and click on “Go” just underneath where you entered these passwords.
Now we need to let the phpMyAdmin config file know what the password is so that phpMyAdmin will continue to work.
Open the file c:\xampp\phpmyadmin\config.inc.php in your favorite text editor. Find this line:
$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user"
and place the password between the two ‘ on the right side of the “=”:
$cfg['Servers'][$i]['controlpass'] = 'password'; // access to the "mysql/user"
There is one other place where you need to enter in your pma password. This is in the file c:\xampp\mysql_stop.bat. By default, this file has this on the 3rd line:
mysql\\bin\\mysqladmin --user=pma --password= shutdown
You need to add your pma password to this file (shown in red below)
mysql\\bin\\mysqladmin --user=pma --password=password shutdown
Now you are finished setting the password for “pma”. It is a good idea to check if you have done this properly. Exit phpmyadmin (click this button: , which is at the top of the left sidebar), and try to sign in again first as “root” and then as “pma”. If you get an error when you try to sign on, which says this: “#1045 – Access denied for user ‘pma’@’localhost’ (using password: NO)”, it means that you didn’t put the correct password into the config.inc.php file.
Consequence to using XAMPP control panel if pma password is changed
After you change your pma password, it seems that you are no longer able to use the XAMPP control panel to stop MySQL. You can still use it to start MySQL, but stopping it via the control panel will fail. To stop MySQL, you’ll need to open a command window (Start->Run “cmd”), and execute c:\xampp\mysql_stop.bat. When you stop MySQL this way, the XAMPP control panel will reflect that it is stopped.
Password protect /webalizer, /security, and any other XAMPP folders that you decided to keep
If you want to keep the webalizer and security pages of XAMPP, I suggest that you password protect them. You may also want to password protect other XAMPP pages that you have chosen to keep. You can use the same username/password that you chose for the XAMPP pages, which is stored in the c:\xampp\security\xampp.users file.
To protect these folders with the same password that you have for the /xampp folder, you need to add some text just before the </Directory> directives in your Apache config files for each folder, as shown in red below:
Alias /web_folder_name "C:/xampp/foldername"
<Directory "C:/xampp/foldername">
...
...
AuthType Basic
AuthUserFile C:\\xampp\\security\\xampp.users
require valid-user
</Directory>
The file to edit to add this text for /security and /webalizer is c:\xampp\apache\conf\extra\httpd-xampp.conf. If you kept some of the other XAMPP folders and want to password protect them, I indicate which config files are used on this page.
In order for these changes in the config files to take effect, you need to stop Apache and restart it.
There are some folders that already have some password protection, and you should leave them alone (if you didn’t already delete them), unless you want them to have the same password as your /xampp folder. If you are running a webdav server, it may be a good idea to keep the separate password file for the webdav server.
There are also some default passwords that XAMPP has created for the /webdav, /restricted, and a /fonts directory (that is protected by /forbidden). Additionally, XAMPP has some default passwords for the FTP and mail servers. I’ll discuss how to change those passwords in a future article.
Next Step
The next step for the tutorial is to remove default usernames and passwords.
The password protection of the security folder doesn’t seem to work. I’m using xampp 1.6.2. Keep up the good work! This is some good stuff!
It works for me. It could be working for you, but you don’t know it. Once you sign in to your regular http://localhost/xampp page, the browser is remembering your password and won’t ask for it on the security page because you already gave it. To really test it, close and reopen your browser so that the browser will forget the password, go to http://localhost/security, and see if you are asked for a password.
Also remember that you need to stop/start Apache after making these changes to your config file in order for them to be effective.
Nice guide. I have done what you indicated for the mySQL users – namely, to add a password to user “pma” and to add a password for “root” through the phpmyadmin interface. Then I went into the config.inc.php file and put the password into the ‘controlpass’ field and also the ‘password’ field for the MySQL user “root”. I can get in and out of phpmyadmin fine, and the mysql service can start, but if I look on the xampp status page, it shows the mysql database as deactivated. What gives?
your tutorial is very interesting.
I’ve applied your recommandation. I’m using xampp 1.6.2. In the file ‘c:\xampp\apache\conf\extra\httpd-xampp.conf’ your directive lead to syntax error when launching apache. After a while I’ve found that the line indicating the xampp.users should not contain “.
AuthType Basic
AuthUserFile C:\xampp\security\xampp.users
require valid-user
jls: Thanks for your comment. On my setup, I had no problem with having the “” around the line with xampp.users. I tried removing the “”, and also had no problem. Therefore, I changed this page to remove those “”, thinking that if you had a problem, others may also have one.
Josh: I’m a little confused when you say that you added a password for “root” through the phpmyadmin interface. My guide only has you adding a password for pma through phpMyAdmin, and uses the builtin XAMPP security script for adding the password for root. In fact, if you are using “cookie” based authentification, you don’t need to add the password for ‘root’ to config.inc.php. Only the password for ‘pma’ needs to go in there, in the place that I indicated. What I have written on this page works for me (mysql is shown as activated). If the control panel is not showing mysql as activated, how can you be sure it is? One good way to get clues as to what is going on is to start mysql in a command window using c:\xampp\mysql_start.bat. If it doesn’t start correctly, you’ll get some error messages containing the clues.
I discovered that after adding the pma password that MySQL can’t be shut down using the XAMPP control panel anymore. The c:\xampp\mysql_stop.bat command must be used to stop MySQL instead. Your pma password also needs to be added to mysql_stop.bat. I added this information to the article.
This is great! Keep it coming. I am migrating from Apache 1.3 to Apache 2.2.
My concern with XAMPP is security. Still debating on using it or installing Apache, PHP, etc. individually.
With that said, I have installed XAMPP and have followed all of your instructions. Just waiting for the remaining articles.
Is there a good, safe on-line service that can check your system for holes and recommend fixes? I have used ‘Shields Up!’ and the like, but is there something more specific to detecting WAMP security flaws?
Jeff: Glad you are finding it useful. I’ve been having some trouble getting some free time lately to finish the articles, but it will happen. As for your question about an online service for checking for security holes – I have never looked into one, but it sounds like a good idea. Sorry that I can’t give you any direction on that one. If you do find something out about that, please let me know.
I had stumbled upon the lack of a pw for pma user by myself and did some searching on making things secure and found this site. I was also concerned about the security of folders and about who can access certain features. So, I did the changes to the .conf file as shown but I do not get asked for a user or pw when trying to access the phpadmin or security or webalizer folders from a browser. I do however get an “access denied” page. Is there something I am missing?
I kept a back-up of the httpd-xampp.conf file in case something went wrong.
Seems like you missed a step on the folder security. In order to use the same user and password for the XAMPP folder, you also need to copy the .htaccess file from that folder to the new folder that you want to secure (such as webalizer.)
Thanks for the great guide on securing xampp. This is just what I was looking for!
One other thing… if you kept the xampp pages under htdocs like I did, your status page will show that mysql is deactivated after you change the pma password. You can edit xampp/htdocs/xampp/mysql.php to correct this.
Don’t know why that’s important, but I get all warm and fuzzy looking at status pages. 😉
Rob: “I discovered that after adding the pma password that MySQL can’t be shut down using the XAMPP control panel anymore. The c:\xampp\mysql_stop.bat command must be used to stop MySQL instead. Your pma password also needs to be added to mysql_stop.bat.”
This can Easily be fixed just convert/compile the EDITED mysql_stop.bat file into a EXE and have the file named xampp_stop.exe I would keep the old xampp_stop.exe just in case I just renamed that xampp_stop.exe.bak
P.S. I just googled “convert bat to exe” this free app worked for me: http://www.abyssmedia.com/quickbfc/
Hi Robb, An Excellent tutorial you have posted here. I have completed 80% of it and feel more secure now. However I have a small Problem.I do not want to give out the password to clients whoose websites Iam Building Serverside (my End).Is there way of granting them access to their respective folders (Client1,Client2,Client3) etc. Can they have seperate Passwords to access their websites or can I set a Master Password which will enable them to access sites contained on my webserver. Thanks in advance.
Wises
Hi Wises:
Yes, you can create separate passwords for different folders. Look at my page here: https://robsnotebook.com/xampp-builtin-security, under “How this security was added”, and you can adapt what is written there. You will need to create a .htaccess file in each folder, and point it to a password file. You generate the password file by using the command “c:\xampp\apache\bin\htpasswd” on the command line. Run htpasswd without any arguments, and it will show you all the options.
My mysql_stop doesn’t have the line you stated it should have, help please
great tutorial. worked in the first attempt. thank you.
hey Rob, nice job. I got struck at one place. I couldn’t open c:\xampp\mysql_stop.bat to edit the line “mysql\bin\mysqladmin –user=pma –password= shutdown” It opens in black screen and it has nothing like that line. So please tell me how to open that .bat file.
If I delete PMA account from phpmyadmin will there be any problem?Please reply.
My mysql_stop.bat doesn’t have the line you stated it should have. what to do
The procedure may be for older xampp version than mine. I have 1.7.3
Couldn’t find the text in the mentioned httpd config file, but I did find this
#
# New XAMPP security concept
#
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8 \
fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
fe80::/10 169.254.0.0/16
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
As you may have noticed I have added the directory/subdirectory test/rebuild. This way I have password protected the directory /htdocs/test/rebuild the same way as the other folders
Btw, I found no problem in stopping/restarting either Apache or MySQL from xampp control panel.
Okay so the copied text was messed up due to (greater than) in there
Look for the line containing something like LocationMatch “^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info|test/rebuild))
I hope in the second try, you -can- see where I have added “test/rebuild”
I’m having the same problem as some of the above. I don’t appear to have “mysql\bin\mysqladmin –user=pma –password= shutdown” in \xampp\mysql_stop.bat, and instead I have the following text:
@echo off
echo Mysql shutdowm …
apache\bin\pv -f -k mysqld.exe -q
if not exist mysql\data\%computername%.pid GOTO exit
echo Delete %computername%.pid …
del mysql\data\%computername%.pid
:exit
I have gone through the first steps of changing the PMA in phpMyAdmin, and now Apache isn’t running. Any ideas?
Good day Rob,
I installed xampp to run the opensis software, but after installation of the xampp and opensis, i logged out of both and tried to log back in, i get the error message #1045-Access denied for user ‘root’@’localhost’ (using password: YES), i have tried to reset the mysql root password using resetboot.bat file but it shows cannot find file specified.
I have little knowlwedge about using cmd and editing conf files, all the forums i have checked don’t explain their steps in details. so please can you assist me on this…
thank you