Use XAMPP Security Script to Password Protect /xampp and phpMyAdmin root User
This article is part of a series of articles that I’m writing on how to make XAMPP more secure. See the overview page for all of the security steps.
The first step in securing XAMPP is to use its built in security page. Notice I said that this is just the first step, there are many more things to do to secure XAMPP, which are detailed on the overview page.
Start Apache and MySQL and go to http://localhost in your browser (on the same machine as your server). If this is your first time browsing the local site, you should now see a webpage with the XAMPP logo and a choice of languages. Click on your preferred language.
This brings you to an XAMPP control page with navigation links in the left sidebar. Click on “Security”. The page may take a moment to load, it is checking your security status. After it loads, you will see various states of your security status and how your server is currently insecure.
To fix the first 3 problems listed on this page (XAMPP pages publicly accessible, mySQL has no password, and phpMyAdmin is freely accessible), scroll down until you see this link: http://localhost/security/xamppsecurity.php. Click on that link. If you don’t have that link, click here to bring you to that page on your local server.
You’ll now see a page titled “Security console MySQL & XAMPP directory protection”. Do the following:
- Enter a password (2 times) for the MySQL SuperUser (root)
- Select “cookie” for “PhpMyAdmin authentification” (this is the default, and I prefer it over http authentification).
- Do not check “Safe plain password in text file?”
- Record this password in a safe place so you don’t forget it.
- Click the button “Password changing”.
If done correctly, you should get this message “The root password was successfully changed. Please restart MYSQL for loading these changes!”. Go ahead and restart MySQL via the XAMPP control panel (stop it and then start it again).
Now, back on the XAMPP security page, scroll down to “XAMPP DIRECTORY PROTECTION (.htaccess)”. Do the following:
- Enter a username.
- Enter a password.
- Leave unchecked “Safe plain password in text file? “
- Record the username/password in a safe place so you don’t forget it.
- Click the button “Make safe the XAMPP directory”
Check that it was successful by looking above the “XAMPP DIRECTORY PROTECTION (.htaccess)” for this message: “SUCCESS: The XAMPP directory is protected now! All personal data was safed in the following file: C:\xampp\security\xampp.users C:\xampp\htdocs\xampp\.htaccess”.
In the future, you can use this page again to change your MySql password, but I don’t recommend using it for your XAMPP password since it will erase any users that you may have added for XAMPP access. If you are the only user for the XAMPP pages, then it is ok to use this form to enter a new password.
You can relaunch the security page to see what XAMPP thinks of your security now. To do this, click on “Security” in the left sidebar. The top 3 items should indicate “Secure” now. If not, you have an issue.
Impacts of your new security and testing it
The security step that you just performed means you will need to supply a username and password when accessing /xampp and /phpmyadmin. Let’s test that this is the case.
To test that /xampp needs a password:
- Close and reopen your browser (to erase memory of passwords)
- Go to http://localhost/xampp, a window should pop up asking you for a password.
- Log in with the username/password that you created for /xampp access.
- If this brings you to your XAMPP control page, then this test is sucessful.
To test that /phpmyadmin needs a password:
- Since this password protection is cookie based (unles you chose http authentification), you don’t need to close and reopen your browser.
- Go to http://localhost/phpmyadmin, a web page should pop up asking you for a password.
- Enter “root” as your username and give the password that you supplied to the XAMPP security page.
- If this brings you to the phpMyAdmin page, then this test is successful.
- You may also want to try signing out of phpMyAdmin and signing back in. To sign out, click the button that looks like this: , which is at the top of the left sidebar.
There is a post on the Apache friends forum that advises to change the root user’s username to something other than “root”, to increase your security. See that post for instructions on how to do that if you want to.
How this security was added
For /xampp, the security webpage script created the file c:\xampp\htdocs\xampp\.htaccess, and gave it the following content:
AuthName “xampp user”
AuthType Basic
AuthUserFile “C:\xampp\security\xampp.users”
require valid-user
This adds Basic Authentification to the /xampp folder, and states that the usernames and passwords are stored in the c:\xampp\security\xampp.users file.
The security script also created a new c:\xampp\security\xampp.users file containing the username and password that you entered. If you examine this file in a text editor, you will see that the password is encrypted. For security purposes, it is important to never make the c:\xampp\security folder accessible via the webserver, or a malicious person could have access to this password file.
For securing phpMyAdmin, the security script did the following
- Called the php function mysqlrootupdate() in c:\xampp\security\htdocs\securefunctions.php. This function communicates with the MySQL database to change the root password.
- Modified your config.inc.php file to change this line:
$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)
to this:
$cfg['Servers'][$i]['auth_type'] = 'cookie'; // Authentication method (config, http or cookie based)
in order to enable the cookie based web page authentification to your /phpmyadmin page.
More Security
Now, we have the first level of security for XAMPP. There are still some holes. Additional folders and users need password protection. Also, the passwords you just created will be sent in cleartext and anyone with a network sniffer can see them. You will need to enable encryption for the transmission of these passwords. See the overview page for instructions on how to do these things.
Next Step
The next step in this tutorial is to remove unused folders.
[…] https://robsnotebook.com/xampp-builtin-security […]
Say, for which version of XAMPP does this work? I cannot find sth. like /security/xamppsecurity.php in version XAMPP 1.6.6 for linux. 🙁
Regards
This article was written using XAMPP version 1.6.2 on Windows. I never tried it on Linux.
worked like a charm in my WAMP server! (intranet.. hosting in a Windows XP hehe) right what i needed, and the top search in google 🙂 thanks Rob!!
Hi,
This was the absolute BEST help guide on the php password on the ENTIRE web! Thanks a zillion!
YE is Here!
Hi
I have to say, this is the best tutorial ever, both for novice or proper developers.
Its straight forward and step by step.
Thanks Very much Rob.
when i click localhost it wont load what am i doing wrong
Yeh: Perhaps you have not started Apache? Try launching the XAMPP control panel and starting Apache.
I cant log into my localhost after i run the tutorial. I recieve this messege : Database Error: Unable to connect to the database:Could not connect to MySQL. What went wrong?
Hi, I had set my user and password for my phpmyadmin…and have forgotten what they were…how do I retrieve them? Thanks. I’m locked out.
Thank you for this Great Tutorial!
Does anyone know how to remove this??? I installed XAMPP, made it secure this way, and now that I’ve completely remove XAMPP and installed MAMP, I still get a popup asking for xampp user Authentication when I browse to localhost. On a Mac with Leopard.
Great tutorial. So good that I have locked myself out. I put in http://localhost/administrator/login.php and can’t get the following error:
Database Error: Unable to connect to the database:Could not connect to MySQL
Did I miss something here?
I found that when I put my password for the mysql database in the configuration file in htdocs that allowed me to get into http://localhost/administrator/ the same as always.
Cheryl
Hello, its a great tutorial for nebies like me, but i have a major problem.
Whenever i click the security link i xampp control panel, i get the following msg:
Warning: include(lang/pt_br.php) [function.include]: failed to open stream: No such file or directory in F:\xampp\security\htdocs\index.php on line 13
Warning: include() [function.include]: Failed opening ‘lang/pt_br.php’ for inclusion (include_path=’.;F:\xampp\php\pear\’) in F:\xampp\security\htdocs\index.php on line 13
Is it possible to give some help? I´m using version 1.7 runing on windows.
Thank you
Hi all,
problem solved, just renamed pt lang to pt_br. Now following
your tutorials. Many thanks for them,
regards.
Hi Rob,
first of all, you have a really nice guide here, keep up the good work!
I would like to add some more details on this first step. Folder protection through the built in security page still leaves a small security hole. Indeed, anyone that has access to the PHYSICAL host can access the security page without username/password. This is because the “” directive in httpd.conf contains “AllowOverride None” (which disables .htaccess files usage in any directory) while the “” directive in httpd-xampp.conf does not contain an “AllowOverride All” (or similar) directive (which enables .htaccess files usage in that specific directory). This is only a localhost access problem because network access to the security page is disabled thanks to the “Deny from all Allow from localhost” directives within “”.
I also found that changing the “PhpMyAdmin authentification” (from http to cookie) after having set it once (to http) and without changing the password does not work (the config.inc.php remains unmodified). However, I did not investigate this problem further.
aaarghh, there was a problem with some missing characters, sorry, here is the full version
Hi Rob,
first of all, you have a really nice guide here, keep up the good work!
I would like to add some more details on this first step. Folder protection through the built in security page still leaves a small security hole. Indeed, anyone that has access to the PHYSICAL host can access the security page without username/password. This is because the “Directory “C:/xampp/htdocs”” directive in httpd.conf contains “AllowOverride None” (which disables .htaccess files usage in any directory) while the “Directory “C:/xampp/security/htdocs”” directive in httpd-xampp.conf does not contain an “AllowOverride All” (or similar) directive (which enables .htaccess files usage in that specific directory). This is only a localhost access problem because network access to the security page is disabled thanks to the “Deny from all Allow from localhost” directives within “Directory “C:/xampp/security/htdocs””.
I also found that changing the “PhpMyAdmin authentification” (from http to cookie) after having set it once (to http) and without changing the password does not work (the config.inc.php remains unmodified). However, I did not investigate this problem further.
Wrong cut and paste….. There should be “Directory /” where I wrote “Directory “C:/xampp/htdocs””
Hi Rob, thanks for the guide. I had to do somethings slightly different because I’m on mac osx but its seems to have worked. On the xampp security page all are showing the green Secure image. One problem though. PhpMyAdmin now gets this: #1045 – Access denied for user ‘root’@’localhost’ (using password: NO) . How do I go about setting the new password for this. Thanks for a good tutorial.
I was a bit quick off the mark with the above. I have now sorted it out. Simply edited the phpmyadmin config.inc.php file to have the new mysql password. ie. $cfg[‘Servers’][$i][‘password’] = ‘xxxxxx99999’; Hope this helps anyone else who got similar problems. Cheers.
Hi,
I tried to do what is said above.
The phpmyadmin works fine .But my page is not working.When i try to open http://localhost/xampp/ it gives an error message “Database Error: Unable to connect to the database:Could not connect to MySQL”.
Can any one of you please help.
thanks
thank you for this tutorial..it work for me. before i thought changing the password is in privileges under phpmyadmin..and it gives me error in accessing my phpmyadmin..then I have to reinstall the xampp again..It did a great job…thank you very much
I ran the security scripts in the terminal and added passwords. My problem now is that I get asked for a user name and password. I tried root as the user name but I can’t get back into PHPMyAdmin or xampp. Any idea what user name to use?
try xampp for the user name
nice this was great.
Nice Post I just fixed my problem
Hi guys I have tried following the steps above…no luck, I am running Mac leopard, when I follow or type the link “http://localhost/security/xamppsecurity.php.” it get “Object not found”, where am I going wrong?
Thanks for such a working idea…………
but now i m having problem that i m not able access mysql database from cmd…….so plz help me for this also
Thanks a million for such a superb article.
toda vez q eu vou acessar o site http://localhost/security/xamppsecurity.php/ não funciona dá assim:
Not Found
The requested URL /security/xamppsecurity.php/ was not found on this server.
——————————————————————————–
Apache/2.2.8 (Win32) PHP/6.0.0-dev Server at localhost Port 80
oq eu faço??
Hi there. Being worried about my security I followed the steps up to this point, I am able to log into XAMPP with my newly created password and I am able to log into PHPMyAdmin with my new password but now I get the following error when I try and connect to my Joomla sites on my localhost, I am run a Windows 7 platform and XAMPP VS 1.7.1. “Database Error: Unable to connect to the database:Could not connect to MySQL” Do I need to change lines in my congiguration.php?? Help pls!
For everyone who is getting something like the following error: “Database Error: Unable to connect to the database:Could not connect to MySQL”, I found that a refresh of the web page fixed the problem (F5 on internet explorer).
Thanks man, it was very helpfull! It was first time for me to install xampp and you are the only one who explained security issues so well that even beginer like me could understand it! Thank one more!
Hi, I just want to thank you for this tut. I was turning crazy with because I couldn’t access to phpMyAdmin and I needed to access it for my studies project, but I follow your tut and eventually I can enter now yeeeeaaaaaah 😀 So thank you so much!!
Thanks for a working tutorial. Took me a while to find it but now I’ve got XAMPP up and running with MySQL.
Only problem i got is that i can not get in to the http://localhost/security/xamppsecurity.php. tried it all! Whats the problem?
I tried to open http://localhost/security/xamppsecurity.php. and it says Object not found! I am running Mac 10.5
entraaaadd
entraaaadd
Thanks a lot..more power
Thank you thank you!! This has solved a problem I havebeen working on for three nights.
no entiendo donde entro solo salen letras y no se donde entrar
Hi all, this is surely a nice tutorial…but now, users cannot access the sites that am hosting from my machine. When they try to run http://myipaddress:8080/appname the page doesn’t load.
Someone please help urgently.
[…] https://robsnotebook.com/xampp-builtin-security Internet Subscribe to RSS feed […]
venait,vous amuser vite vite!!!
My config.inc.php file is empty. What do I enter there to change password of phpmyadmin?
I found the answer how to login somewhere else.
The solution was to login with username: localhost
and no password.
Salut , j’ai un gros probléme et personne ne m’aide , quand je veux allé sur phpmyadmin cela me met une erreur comme ceci :phpMyAdmin – Erreur
Erreur lors du démarrage de la session, veuillez vérifier les erreurs indiquées par PHP ou dans le fichier témoin du serveur web, et configurer PHP correctement.
Aider moi svp !!
how i can change the name user ”root” for mysqp , im like change for other name, any name secret, in xampp only is root i can change in any site of xampp folder for other name?
Hi Rob, GREAT tutorial, I posted a portion of the instructions and additional material to help others in my predicament here for those of us who use mySQL for opensim: http://forums.osgrid.org/viewtopic.php?f=15&t=3657&start=0
I have xampplite 1.7.3 and it kept showing the red must change root PW but every time I tried it I was locked totally out and no way to fix it I could find.
Your instructions here however provided a 100% perfect solution and it worked like a charm, real easy, thanks Rob!
i was following along fine until i followed that link to re-naming the root user. now i can’t get into mysql and will have to un-install xampp.
you people should warn beginners that monkeying with root names and passwords & deleting roots is not for beginners.
Same with me. Tried http://localhost/security/xamppsecurity.php. and it says Object not found! Mine is in Lion Mac 10.7.2
There’s no security console in xampp folder either.Please help.
I applied the security measures as outlined by you.Every thing seemed to be OK till I tried to access local host. It did ask for user name and password. But when I entered the required data I got a message about internal server error etc. I had to uninstal/reinstal XAMPP and am quite happy with insecure XAMPP.
P.S.: I am sure that I had entered correct username and password.
I have changed the language of php myadmin.But now how can i login?