How-To Secure XAMPP from localhost - Administration
In this following XAMPP tutorial, you will learn how to install XAMPP Windows on XP or Win 7. By the end of this tutorial, you will have a fully working and configured XAMPP PHP installation on your Windows system, which will serve as your local Apache web server bundled with PHP (or PERL) and MySQL.
Now that the installation is complete, let's start securing the XAMPP install. Security is the most important configuration set, as you do not need XAMPP to be publicly accessible either within your networks or on the Internet from your localhost install.
Here, we will learn how to secure your Win XAMPP directories and assign passwords. Below are the basic security setup steps:
1. Launch your favorite browser.
2. Enter the following URL in your address bar: http://localhost
3. You should then see the XAMPP splash page. Click "English." You will then see the XAMPP administrator panel, where you can find the XAMPP status and security configuration settings.
4. Click "Security."
5. XAMPP will then perform a security audit in your Windows system and setup. You will likely see errors; do not panic. Since you have not secured your XAMPP installation yet, you will likely see the following warnings:
These XAMPP pages are accessible by network for everyone -UNSECURE
The MySQL admin user root has NO password - UNSECURE
PhpMyAdmin is free accessible by network - UNSECURE
The FileZilla FTP password is still 'wampp' - UNSECURE
PHP is NOT running in "safe mode" – UNSECURE
A POP3 server like Mercury Mail is not running or is blocked by a firewall! - Unknown
7. The priority items to be fixed are: Directory Permissions, MySQL Password and PHPMyAdmin. Click the link: http://localhost/security/xamppsecurity.php that appears below the warning messages.
8. Under the MySQL section: “Root” Password, assign a new password and make sure to take note of it by writing it down in a safe location. Select “cookie” for PHPMyAdmin authentication.
Warning: Do NOT check “Save plain password in text file?”
Click “Password Changing.” You should then see: “The root password was successfully changed. Please restart MYSQL for loading these changes!”
9. To restart MySQL, go to the XAMPP Control panel (screenshot shown previously). Click “Stop” for MySQL. This will stop the MySQL service. It should look like the image below:
Click the “Start” button again to restart MySQL and implement your new password settings. If you see “running” under MySQL service, it has successfully restarted.
10. Now go back to the XAMPP security page (http://localhost/security/index.php). Let’s secure the XAMPP directory by implementing “Directory protection (.htaccess).”
First, enter the desired username and password under “XAMPP DIRECTORY PROTECTION (.htaccess).” Take note of these credentials and write them down in a safe location.
Warning: Do NOT check the “Safe plain password in text file?”
Now, click “Make Safe the XAMPP directory.” If the changes are successful, you should see the message:
SUCCESS: The XAMPP directory is protected now! All personal data was saved in the following file: C:\xampp\security\xampp.users C:\xampp\htdocs\xampp\.htaccess
The password gets encrypted once it is stored in that location.
11. You can stop the “Filezilla” service in the XAMPP Control panel, as it is not required to test applications. The two most important services for developing web applications are Apache and MySQL. These should not be disabled if you want to properly test your applications locally.