Rob July 10th, 2007
This article is part of a series of articles about making XAMPP more secure. See the overview page for all the security measures.
The XAMPP built-in security only gives password protection to phpMyAdmin root user and to the /xampp folder. There are more folders and users that should be protected.
Change the password of the “pma” user in phpMyAdmin
By default, the MySQL database provided by XAMPP contains 2 users, “root” and “pma”. The “pma” user is used by the phpMyAdmin application. You should have already given a password to the “root” user, but the “pma” user still has a blank password. This should be changed to increase your security.
There are 2 steps involved in changing the password for “pma”. First, you change the password using phpMyAdmin, and then you need to edit the config.inc.php file to let phpMyAdmin know what the password is.
To change the password for “pma”:
Make sure Apache and MySQL are running.
On the same machine that Apache is running on, navigate to http://localhost/phpmyadmin
If you are presented with a login screen, enter username “root” and the password you assigned to it.
In the phpMyAdmin page, click on “Privileges”
The next page will show 2 users, “pma” and “root”. On the right side of the row for “pma” is this symbol: , click on it to edit the properties for “pma”.
Scroll down a little on the next page to see where you can change the password. I suggest using a password that is different than the phpMyAdmin password. Type in the old and new passwords and click on “Go” just underneath where you entered these passwords.
Now we need to let the phpMyAdmin config file know what the password is so that phpMyAdmin will continue to work.
Open the file c:\xampp\phpmyadmin\config.inc.php in your favorite text editor. Find this line:
$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user"and place the password between the two ‘ on the right side of the “=”:
$cfg['Servers'][$i]['controlpass'] = 'password‘; // access to the “mysql/user”There is one other place where you need to enter in your pma password. This is in the file c:\xampp\mysql_stop.bat. By default, this file has this on the 3rd line:
mysql\bin\mysqladmin --user=pma --password= shutdownYou need to add your pma password to this file (shown in red below)
mysql\bin\mysqladmin --user=pma --password=password shutdownNow you are finished setting the password for “pma”. It is a good idea to check if you have done this properly. Exit phpmyadmin (click this button: , which is at the top of the left sidebar), and try to sign in again first as “root” and then as “pma”. If you get an error when you try to sign on, which says this: “#1045 - Access denied for user ‘pma’@'localhost’ (using password: NO)”, it means that you didn’t put the correct password into the config.inc.php file.
Consequence to using XAMPP control panel if pma password is changed
After you change your pma password, it seems that you are no longer able to use the XAMPP control panel to stop MySQL. You can still use it to start MySQL, but stopping it via the control panel will fail. To stop MySQL, you’ll need to open a command window (Start->Run “cmd”), and execute c:\xampp\mysql_stop.bat. When you stop MySQL this way, the XAMPP control panel will reflect that it is stopped.
Password protect /webalizer, /security, and any other XAMPP folders that you decided to keep
If you want to keep the webalizer and security pages of XAMPP, I suggest that you password protect them. You may also want to password protect other XAMPP pages that you have chosen to keep. You can use the same username/password that you chose for the XAMPP pages, which is stored in the c:\xampp\security\xampp.users file.
To protect these folders with the same password that you have for the /xampp folder, you need to add some text just before the directives in your Apache config files for each folder, as shown in red below:
Alias /web_folder_name “C:/xampp/foldername”
…
…
AuthType Basic
AuthUserFile C:\xampp\security\xampp.users
require valid-user
The file to edit to add this text for /security and /webalizer is c:\xampp\apache\conf\extra\httpd-xampp.conf. If you kept some of the other XAMPP folders and want to password protect them, I indicate which config files are used on this page.
In order for these changes in the config files to take effect, you need to stop Apache and restart it.
There are some folders that already have some password protection, and you should leave them alone (if you didn’t already delete them), unless you want them to have the same password as your /xampp folder. If you are running a webdav server, it may be a good idea to keep the separate password file for the webdav server.
There are also some default passwords that XAMPP has created for the /webdav, /restricted, and a /fonts directory (that is protected by /forbidden). Additionally, XAMPP has some default passwords for the FTP and mail servers. I’ll discuss how to change those passwords in a future article.
Next Step
The next step for the tutorial is to remove default usernames and passwords.
Previous <- Clean cgi-bin
Next -> Remove default usernames and passwords.
12 Comments »
Juanon 22 Jul 2007 at 1:10 pm
The password protection of the security folder doesn’t seem to work. I’m using xampp 1.6.2. Keep up the good work! This is some good stuff!
Robon 23 Jul 2007 at 12:53 pm
It works for me. It could be working for you, but you don’t know it. Once you sign in to your regular http://localhost/xampp page, the browser is remembering your password and won’t ask for it on the security page because you already gave it. To really test it, close and reopen your browser so that the browser will forget the password, go to http://localhost/security, and see if you are asked for a password.
Also remember that you need to stop/start Apache after making these changes to your config file in order for them to be effective.
joshon 28 Jul 2007 at 11:39 am
Nice guide. I have done what you indicated for the mySQL users - namely, to add a password to user “pma” and to add a password for “root” through the phpmyadmin interface. Then I went into the config.inc.php file and put the password into the ‘controlpass’ field and also the ‘password’ field for the MySQL user “root”. I can get in and out of phpmyadmin fine, and the mysql service can start, but if I look on the xampp status page, it shows the mysql database as deactivated. What gives?
jlson 28 Jul 2007 at 3:04 pm
your tutorial is very interesting.
I’ve applied your recommandation. I’m using xampp 1.6.2. In the file ‘c:\xampp\apache\conf\extra\httpd-xampp.conf’ your directive lead to syntax error when launching apache. After a while I’ve found that the line indicating the xampp.users should not contain “.
AuthType Basic
AuthUserFile C:\xampp\security\xampp.users
require valid-user
Robon 31 Jul 2007 at 8:49 pm
jls: Thanks for your comment. On my setup, I had no problem with having the “” around the line with xampp.users. I tried removing the “”, and also had no problem. Therefore, I changed this page to remove those “”, thinking that if you had a problem, others may also have one.
Robon 31 Jul 2007 at 8:56 pm
Josh: I’m a little confused when you say that you added a password for “root” through the phpmyadmin interface. My guide only has you adding a password for pma through phpMyAdmin, and uses the builtin XAMPP security script for adding the password for root. In fact, if you are using “cookie” based authentification, you don’t need to add the password for ‘root’ to config.inc.php. Only the password for ‘pma’ needs to go in there, in the place that I indicated. What I have written on this page works for me (mysql is shown as activated). If the control panel is not showing mysql as activated, how can you be sure it is? One good way to get clues as to what is going on is to start mysql in a command window using c:\xampp\mysql_start.bat. If it doesn’t start correctly, you’ll get some error messages containing the clues.
Robon 31 Jul 2007 at 9:14 pm
I discovered that after adding the pma password that MySQL can’t be shut down using the XAMPP control panel anymore. The c:\xampp\mysql_stop.bat command must be used to stop MySQL instead. Your pma password also needs to be added to mysql_stop.bat. I added this information to the article.
Jeffon 23 Aug 2007 at 8:02 am
This is great! Keep it coming. I am migrating from Apache 1.3 to Apache 2.2.
My concern with XAMPP is security. Still debating on using it or installing Apache, PHP, etc. individually.
With that said, I have installed XAMPP and have followed all of your instructions. Just waiting for the remaining articles.
Is there a good, safe on-line service that can check your system for holes and recommend fixes? I have used ‘Shields Up!’ and the like, but is there something more specific to detecting WAMP security flaws?
Robon 24 Aug 2007 at 8:35 pm
Jeff: Glad you are finding it useful. I’ve been having some trouble getting some free time lately to finish the articles, but it will happen. As for your question about an online service for checking for security holes - I have never looked into one, but it sounds like a good idea. Sorry that I can’t give you any direction on that one. If you do find something out about that, please let me know.
jaredon 17 Sep 2007 at 1:47 pm
I had stumbled upon the lack of a pw for pma user by myself and did some searching on making things secure and found this site. I was also concerned about the security of folders and about who can access certain features. So, I did the changes to the .conf file as shown but I do not get asked for a user or pw when trying to access the phpadmin or security or webalizer folders from a browser. I do however get an “access denied” page. Is there something I am missing?
I kept a back-up of the httpd-xampp.conf file in case something went wrong.
Kyleon 16 Nov 2007 at 2:38 pm
Seems like you missed a step on the folder security. In order to use the same user and password for the XAMPP folder, you also need to copy the .htaccess file from that folder to the new folder that you want to secure (such as webalizer.)
Thanks for the great guide on securing xampp. This is just what I was looking for!
Kyleon 16 Nov 2007 at 2:58 pm
One other thing… if you kept the xampp pages under htdocs like I did, your status page will show that mysql is deactivated after you change the pma password. You can edit xampp/htdocs/xampp/mysql.php to correct this.
Don’t know why that’s important, but I get all warm and fuzzy looking at status pages.