I'm planning on using xampp standlone (prototyping development in PHP). However, I've heard a great deal about the security issues with xampp.
By default, everything is supposedly opened and ready for exploit; http port is 80 by default, and the following statements are true:
- xampp pages are accessible by network for everyone
- mysql admin user root has no password
- phpmyadmin is free accessible by network
I've also read a lot about bots randomly trying to access such servers and deploying their scripts, that execute .bat commands, install services etc. but this is probably not related to xampp ONLY.
So, my question is, are there any tutorials, good practices, what to disable (and especially, HOW)?
I've came across some literature but it's a bit outdated (2007). Here's the source: http://robsnotebook.com/xampp-security-hardening .
Besides, I've also found this php file, which validates the basic security in php.ini https://github.com/sektioneins/pcc
I am trying to make xampp as secure as possible.
Best Answer
Indeed the default settings on XAMPP provide no security at all. However, to fix these insecurities you enlisted go to http://localhost/security/xamppsecurity.php immediately after installation on your localhost network where XAMPP has been installed. Remember that if APACHE has a different port other than '80' type in this address instead: 'http://localhost:93/security/xamppsecurity.php' where ':93' is the port number.
Now, secure your MySQL SuperUser account (root) with a password by typing a strong password twice. Change the PhpMyAdmin authentication type to 'http' instead of the default ‘cookie’: do this so that there is no stored information on your computer to access PhpMyAdmin. Uncheck the '(File: C:\xampp\security\security\mysqlrootpasswd.txt)' option to avoid saving the plain password in a text file as this is an extreme violation of security protocol across all networks and systems.
Finally, you can click on the “Password Changing” button and your MySQL and PhpMyAdmin applications are secure.