Remove Default Users/Passwords from XAMPP Filezilla FTP Server

This article is part of a series of articles about making XAMPP more secure. See the overview page for all the security measures.

By default, the FTP server that comes with XAMPP allows anonymous user logins and also has a default user with

username: newuser
password: wampp

In order to make it more secure, you should disable anonymous logins, and get rid of the “newuser” user. You may also want to create a new FTP user for your legitimate FTP usage. In order to accomplish this, do the following:

1. Install FileZilla as a service (and start it) in order to access the FTP server config:
   1. Open up the XAMPP Control Panel
   2. Check box next to “Svc” for Filezilla
   3. Click “OK” on window which says “Click OK to install the Filezilla FTP Service”
   4. Click “Yes” on window which says “Install Service?”
   5. Click “No” for the window which states “Autostart Service?”, unless you want the FTP server to launch whenever you reboot your machine (in that case, click “Yes”).
   6. Click “Yes” on the window which asks “Start Server?”
2. Launch the Filezilla server administration
   1. In the XAMPP control panel, make sure Filezilla is running
   2. In the XAMPP control panel, click on the “Admin” button for Filezilla.
   3. A dialog box that pops up titled “Connect to Server?”. This dialog box will show defaults of: server address=127.0.0.1, Port=14147, Administration Password=(blank). Leave these defaults alone and click “OK”.
3. Delete the anonymous user
   1. In the Filezilla server window, from the pulldown menu choose Edit->Users to get the “Users” Dialog box.
   2. In “Users:” area on right side, highlight “anonymous”.
   3. In the middle area, under “Account settings”, uncheck “Enable account”
   4. Click “OK” to close the “Users” dialog box.
4. Delete the default user “newuser”
   1. In the Filezilla server window, from the pulldown menu choose Edit->Users to get the “Users” Dialog box.
   2. In “Users:” area on right side, highlight “newuser”.
   3. Click “Remove” in the “Users: ” area to remove this user.
   4. Click “OK” to close the “Users” dialog box.
5. Create legitimate users
   1. In the Filezilla server window, from the pulldown menu choose Edit->Users to get the “Users” Dialog box.
   2. In “Users:” area on right side, click “Add”.
   3. In the “Add User Account” dialog box:
      1. For “Please enter the name of the user account that should be added:”, enter new account user name.
      2. For “User should be member of the following group:”, you can leave it as <none>
   4. With your new user account name highlighted in the “Users:” area, check the box next to “Password”, and type in a password in the edit box. Note: The more characters in your password, the more secure it will be. It is also more secure to have a password that is not a word that can be found in a dictionary and has some special characters such as # or !.
   5. For extra security, click “Force SSL for user login” to force encryption of your password. Warning: This will not work if you use the regular Windows FTP client with this server. You’ll need to use another FTP client such as the corresponding Filezilla one in order to have this security.
   6. Setup the directories that this new user will have access to.
      1. Highlight “Shared Folders” under the “Page:” area on the left side of the dialog box.
      2. Now click on “Add” under the shared folders area to add a directory.
      3. In the “Browse for folders” window that comes up, navigate to the desired folder and press OK. This will give the FTP user access to this directory and all sub-directories.
      4. Choose the powers that this user will have (such as add, write, delete) for files and other folders under this directory.
      5. Repeat this for all directories you want to add.
   7. Click “OK” to close the “Users” dialog box.

Next Step

The next step in this tutorial is to go back and continue to remove default usernames and passwords.