Use XAMPP Security Script to Password Protect /xampp and phpMyAdmin root User

July 6th, 2007

This article is part of a series of articles that I’m writing on how to make XAMPP more secure. See the overview page for all of the security steps.

The first step in securing XAMPP is to use its built in security page. Notice I said that this is just the first step, there are many more things to do to secure XAMPP, which are detailed on the overview page.

Start Apache and MySQL and go to http://localhost in your browser (on the same machine as your server). If this is your first time browsing the local site, you should now see a webpage with the XAMPP logo and a choice of languages. Click on your preferred language.

This brings you to an XAMPP control page with navigation links in the left sidebar. Click on “Security”. The page may take a moment to load, it is checking your security status. After it loads, you will see various states of your security status and how your server is currently insecure.

To fix the first 3 problems listed on this page (XAMPP pages publicly accessible, mySQL has no password, and phpMyAdmin is freely accessible), scroll down until you see this link: http://localhost/security/xamppsecurity.php. Click on that link. If you don’t have that link, click here to bring you to that page on your local server.

You’ll now see a page titled “Security console MySQL & XAMPP directory protection”. Do the following:

  1. Enter a password (2 times) for the MySQL SuperUser (root)
  2. Select “cookie” for “PhpMyAdmin authentification” (this is the default, and I prefer it over http authentification).
  3. Do not check “Safe plain password in text file?”
  4. Record this password in a safe place so you don’t forget it.
  5. Click the button “Password changing”.

If done correctly, you should get this message “The root password was successfully changed. Please restart MYSQL for loading these changes!”. Go ahead and restart MySQL via the XAMPP control panel (stop it and then start it again).

Now, back on the XAMPP security page, scroll down to “XAMPP DIRECTORY PROTECTION (.htaccess)”. Do the following:

  1. Enter a username.
  2. Enter a password.
  3. Leave unchecked “Safe plain password in text file? “
  4. Record the username/password in a safe place so you don’t forget it.
  5. Click the button “Make safe the XAMPP directory”

Check that it was successful by looking above the “XAMPP DIRECTORY PROTECTION (.htaccess)” for this message: “SUCCESS: The XAMPP directory is protected now! All personal data was safed in the following file: C:\xampp\security\xampp.users C:\xampp\htdocs\xampp\.htaccess”.

In the future, you can use this page again to change your MySql password, but I don’t recommend using it for your XAMPP password since it will erase any users that you may have added for XAMPP access. If you are the only user for the XAMPP pages, then it is ok to use this form to enter a new password.

You can relaunch the security page to see what XAMPP thinks of your security now. To do this, click on “Security” in the left sidebar. The top 3 items should indicate “Secure” now. If not, you have an issue.

Impacts of your new security and testing it

The security step that you just performed means you will need to supply a username and password when accessing /xampp and /phpmyadmin. Let’s test that this is the case.

To test that /xampp needs a password:

  1. Close and reopen your browser (to erase memory of passwords)
  2. Go to http://localhost/xampp, a window should pop up asking you for a password.
  3. Log in with the username/password that you created for /xampp access.
  4. If this brings you to your XAMPP control page, then this test is sucessful.

To test that /phpmyadmin needs a password:

  1. Since this password protection is cookie based (unles you chose http authentification), you don’t need to close and reopen your browser.
  2. Go to http://localhost/phpmyadmin, a web page should pop up asking you for a password.
  3. Enter “root” as your username and give the password that you supplied to the XAMPP security page.
  4. If this brings you to the phpMyAdmin page, then this test is successful.
  5. You may also want to try signing out of phpMyAdmin and signing back in. To sign out, click the button that looks like this: phpMyAdmin exit button, which is at the top of the left sidebar.

There is a post on the Apache friends forum that advises to change the root user’s username to something other than “root”, to increase your security. See that post for instructions on how to do that if you want to.

How this security was added

For /xampp, the security webpage script created the file c:\xampp\htdocs\xampp\.htaccess, and gave it the following content:


AuthName “xampp user”
AuthType Basic
AuthUserFile “C:\xampp\security\xampp.users”
require valid-user

This adds Basic Authentification to the /xampp folder, and states that the usernames and passwords are stored in the c:\xampp\security\xampp.users file.

The security script also created a new c:\xampp\security\xampp.users file containing the username and password that you entered. If you examine this file in a text editor, you will see that the password is encrypted. For security purposes, it is important to never make the c:\xampp\security folder accessible via the webserver, or a malicious person could have access to this password file.

For securing phpMyAdmin, the security script did the following

  1. Called the php function mysqlrootupdate() in c:\xampp\security\htdocs\securefunctions.php. This function communicates with the MySQL database to change the root password.
  2. Modified your config.inc.php file to change this line:
    $cfg['Servers'][$i]['auth_type']     = 'config';    // Authentication method (config, http or cookie based)

    to this:

    $cfg['Servers'][$i]['auth_type']     = 'cookie';      // Authentication method (config, http or cookie based)

    in order to enable the cookie based web page authentification to your /phpmyadmin page.

More Security

Now, we have the first level of security for XAMPP. There are still some holes. Additional folders and users need password protection. Also, the passwords you just created will be sent in cleartext and anyone with a network sniffer can see them. You will need to enable encryption for the transmission of these passwords. See the overview page for instructions on how to do these things.

Next Step

The next step in this tutorial is to remove unused folders.

55 Comments

  1. […] https://robsnotebook.com/xampp-builtin-security […]

  2. chkon 23 Mar 2008 at 6:28 am

    Say, for which version of XAMPP does this work? I cannot find sth. like /security/xamppsecurity.php in version XAMPP 1.6.6 for linux. 🙁
    Regards

  3. Robon 27 Mar 2008 at 7:08 am

    This article was written using XAMPP version 1.6.2 on Windows. I never tried it on Linux.

  4. charlyon 21 Jun 2008 at 1:17 pm

    worked like a charm in my WAMP server! (intranet.. hosting in a Windows XP hehe) right what i needed, and the top search in google 🙂 thanks Rob!!

  5. YEon 09 Jul 2008 at 7:46 pm

    Hi,

    This was the absolute BEST help guide on the php password on the ENTIRE web! Thanks a zillion!

    YE is Here!

  6. Phamon 18 Jul 2008 at 2:33 pm

    Hi

    I have to say, this is the best tutorial ever, both for novice or proper developers.
    Its straight forward and step by step.

    Thanks Very much Rob.

  7. yehon 06 Aug 2008 at 12:04 pm

    when i click localhost it wont load what am i doing wrong

  8. Robon 07 Aug 2008 at 9:12 am

    Yeh: Perhaps you have not started Apache? Try launching the XAMPP control panel and starting Apache.

  9. Meerajon 27 Sep 2008 at 3:34 am

    I cant log into my localhost after i run the tutorial. I recieve this messege : Database Error: Unable to connect to the database:Could not connect to MySQL. What went wrong?

  10. faginon 07 Nov 2008 at 12:43 pm

    Hi, I had set my user and password for my phpmyadmin…and have forgotten what they were…how do I retrieve them? Thanks. I’m locked out.

  11. donon 22 Nov 2008 at 3:44 am

    Thank you for this Great Tutorial!

  12. Samon 12 Dec 2008 at 4:44 pm

    Does anyone know how to remove this??? I installed XAMPP, made it secure this way, and now that I’ve completely remove XAMPP and installed MAMP, I still get a popup asking for xampp user Authentication when I browse to localhost. On a Mac with Leopard.

  13. Cheryl McCannon 03 Feb 2009 at 10:51 am

    Great tutorial. So good that I have locked myself out. I put in http://localhost/administrator/login.php and can’t get the following error:

    Database Error: Unable to connect to the database:Could not connect to MySQL

    Did I miss something here?

  14. Cheryl McCannon 03 Feb 2009 at 11:21 am

    I found that when I put my password for the mysql database in the configuration file in htdocs that allowed me to get into http://localhost/administrator/ the same as always.

    Cheryl

  15. Joseon 09 Feb 2009 at 5:12 pm

    Hello, its a great tutorial for nebies like me, but i have a major problem.
    Whenever i click the security link i xampp control panel, i get the following msg:
    Warning: include(lang/pt_br.php) [function.include]: failed to open stream: No such file or directory in F:\xampp\security\htdocs\index.php on line 13

    Warning: include() [function.include]: Failed opening ‘lang/pt_br.php’ for inclusion (include_path=’.;F:\xampp\php\pear\’) in F:\xampp\security\htdocs\index.php on line 13
    Is it possible to give some help? I´m using version 1.7 runing on windows.
    Thank you

  16. Joseon 10 Feb 2009 at 7:22 pm

    Hi all,
    problem solved, just renamed pt lang to pt_br. Now following
    your tutorials. Many thanks for them,
    regards.

  17. burston 27 Feb 2009 at 11:43 am

    Hi Rob,
    first of all, you have a really nice guide here, keep up the good work!

    I would like to add some more details on this first step. Folder protection through the built in security page still leaves a small security hole. Indeed, anyone that has access to the PHYSICAL host can access the security page without username/password. This is because the “” directive in httpd.conf contains “AllowOverride None” (which disables .htaccess files usage in any directory) while the “” directive in httpd-xampp.conf does not contain an “AllowOverride All” (or similar) directive (which enables .htaccess files usage in that specific directory). This is only a localhost access problem because network access to the security page is disabled thanks to the “Deny from all Allow from localhost” directives within “”.

    I also found that changing the “PhpMyAdmin authentification” (from http to cookie) after having set it once (to http) and without changing the password does not work (the config.inc.php remains unmodified). However, I did not investigate this problem further.

  18. burston 27 Feb 2009 at 11:48 am

    aaarghh, there was a problem with some missing characters, sorry, here is the full version

    Hi Rob,
    first of all, you have a really nice guide here, keep up the good work!

    I would like to add some more details on this first step. Folder protection through the built in security page still leaves a small security hole. Indeed, anyone that has access to the PHYSICAL host can access the security page without username/password. This is because the “Directory “C:/xampp/htdocs”” directive in httpd.conf contains “AllowOverride None” (which disables .htaccess files usage in any directory) while the “Directory “C:/xampp/security/htdocs”” directive in httpd-xampp.conf does not contain an “AllowOverride All” (or similar) directive (which enables .htaccess files usage in that specific directory). This is only a localhost access problem because network access to the security page is disabled thanks to the “Deny from all Allow from localhost” directives within “Directory “C:/xampp/security/htdocs””.

    I also found that changing the “PhpMyAdmin authentification” (from http to cookie) after having set it once (to http) and without changing the password does not work (the config.inc.php remains unmodified). However, I did not investigate this problem further.

  19. burston 27 Feb 2009 at 11:53 am

    Wrong cut and paste….. There should be “Directory /” where I wrote “Directory “C:/xampp/htdocs””

  20. Chrison 28 Feb 2009 at 7:48 am

    Hi Rob, thanks for the guide. I had to do somethings slightly different because I’m on mac osx but its seems to have worked. On the xampp security page all are showing the green Secure image. One problem though. PhpMyAdmin now gets this: #1045 – Access denied for user ‘root’@’localhost’ (using password: NO) . How do I go about setting the new password for this. Thanks for a good tutorial.

  21. Chrison 28 Feb 2009 at 8:03 am

    I was a bit quick off the mark with the above. I have now sorted it out. Simply edited the phpmyadmin config.inc.php file to have the new mysql password. ie. $cfg[‘Servers’][$i][‘password’] = ‘xxxxxx99999’; Hope this helps anyone else who got similar problems. Cheers.

  22. Muthuon 12 Mar 2009 at 9:51 am

    Hi,
    I tried to do what is said above.
    The phpmyadmin works fine .But my page is not working.When i try to open http://localhost/xampp/ it gives an error message “Database Error: Unable to connect to the database:Could not connect to MySQL”.
    Can any one of you please help.
    thanks

  23. Quimon 23 Mar 2009 at 11:47 am

    thank you for this tutorial..it work for me. before i thought changing the password is in privileges under phpmyadmin..and it gives me error in accessing my phpmyadmin..then I have to reinstall the xampp again..It did a great job…thank you very much

  24. kbataon 24 Apr 2009 at 11:26 pm

    I ran the security scripts in the terminal and added passwords. My problem now is that I get asked for a user name and password. I tried root as the user name but I can’t get back into PHPMyAdmin or xampp. Any idea what user name to use?

  25. heson 06 Jul 2009 at 1:02 pm

    try xampp for the user name

  26. SPeedYon 09 Jul 2009 at 3:02 pm

    nice this was great.

  27. SPeedYon 09 Jul 2009 at 3:57 pm

    Nice Post I just fixed my problem

  28. Glenon 12 Jul 2009 at 4:34 am

    Hi guys I have tried following the steps above…no luck, I am running Mac leopard, when I follow or type the link “http://localhost/security/xamppsecurity.php.” it get “Object not found”, where am I going wrong?

  29. pradeepon 27 Aug 2009 at 6:16 am

    Thanks for such a working idea…………
    but now i m having problem that i m not able access mysql database from cmd…….so plz help me for this also

  30. Usmanon 17 Dec 2009 at 4:22 pm

    Thanks a million for such a superb article.

  31. pauloon 03 Jan 2010 at 6:05 pm

    toda vez q eu vou acessar o site http://localhost/security/xamppsecurity.php/ não funciona dá assim:

    Not Found
    The requested URL /security/xamppsecurity.php/ was not found on this server.

    ——————————————————————————–

    Apache/2.2.8 (Win32) PHP/6.0.0-dev Server at localhost Port 80

    oq eu faço??

  32. Andrewon 25 Jan 2010 at 7:59 am

    Hi there. Being worried about my security I followed the steps up to this point, I am able to log into XAMPP with my newly created password and I am able to log into PHPMyAdmin with my new password but now I get the following error when I try and connect to my Joomla sites on my localhost, I am run a Windows 7 platform and XAMPP VS 1.7.1. “Database Error: Unable to connect to the database:Could not connect to MySQL” Do I need to change lines in my congiguration.php?? Help pls!

  33. Rodneyon 08 Feb 2010 at 2:17 am

    For everyone who is getting something like the following error: “Database Error: Unable to connect to the database:Could not connect to MySQL”, I found that a refresh of the web page fixed the problem (F5 on internet explorer).

  34. Milan Bojicon 12 Feb 2010 at 9:44 pm

    Thanks man, it was very helpfull! It was first time for me to install xampp and you are the only one who explained security issues so well that even beginer like me could understand it! Thank one more!

  35. IRRIDUCIBILIon 01 Mar 2010 at 8:16 am

    Hi, I just want to thank you for this tut. I was turning crazy with because I couldn’t access to phpMyAdmin and I needed to access it for my studies project, but I follow your tut and eventually I can enter now yeeeeaaaaaah 😀 So thank you so much!!

  36. Thommy M.on 11 Mar 2010 at 3:42 pm

    Thanks for a working tutorial. Took me a while to find it but now I’ve got XAMPP up and running with MySQL.

  37. Fisnikon 16 Mar 2010 at 9:22 pm

    Only problem i got is that i can not get in to the http://localhost/security/xamppsecurity.php. tried it all! Whats the problem?

  38. Mikeon 28 Mar 2010 at 3:35 pm

    I tried to open http://localhost/security/xamppsecurity.php. and it says Object not found! I am running Mac 10.5

  39. rooton 09 May 2010 at 7:00 am

    entraaaadd

  40. rooton 09 May 2010 at 7:00 am

    entraaaadd

  41. samon 07 Jun 2010 at 2:44 am

    Thanks a lot..more power

  42. Fionaon 16 Jun 2010 at 5:14 am

    Thank you thank you!! This has solved a problem I havebeen working on for three nights.

  43. samuelon 11 Sep 2010 at 9:35 am

    no entiendo donde entro solo salen letras y no se donde entrar

  44. Apuestoon 02 Nov 2010 at 5:20 am

    Hi all, this is surely a nice tutorial…but now, users cannot access the sites that am hosting from my machine. When they try to run http://myipaddress:8080/appname the page doesn’t load.
    Someone please help urgently.

  45. Cara Mengubah Password Xamppon 14 Mar 2011 at 10:25 pm

    […] https://robsnotebook.com/xampp-builtin-security Internet Subscribe to RSS feed […]

  46. kevinon 15 Apr 2011 at 9:04 pm

    venait,vous amuser vite vite!!!

  47. Webdesign bureau Amsterdamon 08 Aug 2011 at 4:47 pm

    My config.inc.php file is empty. What do I enter there to change password of phpmyadmin?

  48. Webdesign agency Amsterdamon 08 Aug 2011 at 4:59 pm

    I found the answer how to login somewhere else.
    The solution was to login with username: localhost
    and no password.

  49. Clemdu59270on 11 Aug 2011 at 3:07 pm

    Salut , j’ai un gros probléme et personne ne m’aide , quand je veux allé sur phpmyadmin cela me met une erreur comme ceci :phpMyAdmin – Erreur
    Erreur lors du démarrage de la session, veuillez vérifier les erreurs indiquées par PHP ou dans le fichier témoin du serveur web, et configurer PHP correctement.
    Aider moi svp !!

  50. Siriuson 16 Sep 2011 at 11:05 am

    how i can change the name user ”root” for mysqp , im like change for other name, any name secret, in xampp only is root i can change in any site of xampp folder for other name?

  51. wolf pawson 28 Oct 2011 at 9:11 pm

    Hi Rob, GREAT tutorial, I posted a portion of the instructions and additional material to help others in my predicament here for those of us who use mySQL for opensim: http://forums.osgrid.org/viewtopic.php?f=15&t=3657&start=0

    I have xampplite 1.7.3 and it kept showing the red must change root PW but every time I tried it I was locked totally out and no way to fix it I could find.
    Your instructions here however provided a 100% perfect solution and it worked like a charm, real easy, thanks Rob!

  52. paton 25 Apr 2012 at 10:32 pm

    i was following along fine until i followed that link to re-naming the root user. now i can’t get into mysql and will have to un-install xampp.

    you people should warn beginners that monkeying with root names and passwords & deleting roots is not for beginners.

  53. xinon 04 Oct 2012 at 1:25 am

    Same with me. Tried http://localhost/security/xamppsecurity.php. and it says Object not found! Mine is in Lion Mac 10.7.2

    There’s no security console in xampp folder either.Please help.

  54. Biren Pandaon 08 Apr 2013 at 11:18 am

    I applied the security measures as outlined by you.Every thing seemed to be OK till I tried to access local host. It did ask for user name and password. But when I entered the required data I got a message about internal server error etc. I had to uninstal/reinstal XAMPP and am quite happy with insecure XAMPP.
    P.S.: I am sure that I had entered correct username and password.

  55. xonaon 17 Jun 2013 at 9:28 am

    I have changed the language of php myadmin.But now how can i login?

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.