Security checklist for Xampp

Posted by

Introduction to XAMPP

A free and open-source cross-platform web server is called XAMPP. Cross-Platform, Apache, MySQL, PHP, and Perl can be shortened to XAMPP. A well-liked cross-platform web server called XAMPP enables programmers to create and test code locally on a web server. The native source code was generated by Apache Friends and is available for public revision or modification. Among other computer languages, it has interpreters for PHP and Perl in addition to MariaDB and the Apache HTTP Server. A developer may quickly and easily install a WAMP or LAMP stack on an operating system thanks to XAMPP’s deployment simplicity. An further bonus is that popular add-in software like WordPress and Joomla can also be installed.

Need for a XAMPP

  • In essence, XAMPP is a local host or server.
  • Regardless of whether it’s a desktop or a laptop, your personal computer powers this local server.
  • Prior to being published to a remote web server, it is used to test clients or websites.
  • The XAMPP server software offers an appropriate environment for testing Perl, PHP, Apache, and MySQL projects on a local computer. Moving from a local test server to a live server is simple because most real-world web server deployments employ the same components as XAMPP.

Components of XAMPP

Cross-Platform: Distinct operating systems are installed on several local systems with unique configurations. The purpose of adding the cross-platform component to this Apache distribution package is to increase its capability and reach. It is compatible with many other systems, such as MAC OS, Linux, and Windows packages.

Apache: A cross-platform HTTP web server is called Apache. Web content is transported around the globe via it. HTTP servers will provide clients with files, images, or documents when they make a browser request for them.

MariaDB Database: MySQL DBMS was formerly included with XAMPP, but MariaDB has since replaced it. One of the most popular relational database management systems is MySQL. Through the internet, it offers services for managing, deleting, retrieving, manipulating, and storing data.

PHP: Hypertext Preprocessor is the full name for PHP. The most popular backend programming language for web development is PHP. PHP can be used by users to create dynamic programmes and webpages. It is compatible with many database management systems and can be set up on any kind of platform. C was the programming language used to write it.

Perl: The term “generic” programming language is frequently used to describe Perl. This Perl language can be interpreted and is dynamic. Among its many uses is web development, system administration, and GUI creation. Perl supports markup languages such as HTML and XML.

phpMyAdmin: It is a database administration tool for MariaDB.

OpenSSL: An open-source implementation of the TLP with SSL is called OpenSSL.

XAMPP Control Panel: Other XAMPP components are operated and regulated with the help of this panel.

Webalizer: It is a web analytics software solution that keeps track of user logs and reports on usage.

Mercury: It is a mail server that helps with email administration over the internet.

Tomcat: It is a servlet with Java capability that runs on the Java platform.

Filezilla: It is an FTP server, or File Transfer Protocol Server, which helps and supports file transfer operations.

Top security checklist for Xampp

You may also want to peruse the Apache module repository for further tweaking of user access rights.To safeguard your local development environment and the projects you’re working on, it’s critical to secure your XAMPP server. A security check list for your XAMPP server is provided here:

1. Keep XAMPP up to date

Download the latest version of XAMPP from the XAMPP website.

2.Changing the MySQL Password:

XAMPP uses MySQL as its database management system. The root user doesn’t have a password by default. You can use the MySQL command-line utility to set a password.

Example Code:

Locate the directory where XAMPP is installed by opening a command prompt or terminal.

Use this command to open the MySQL shell:

A password prompt might appear. Simply hit Enter if no password is required.

Use this command (replace new_password with your prefered password) to modify the root password:

After changing the password, you can exit the MySQL shell:

Restart MySQL to apply the changes:

Changing the phpMyAdmin Password:

The “root” user in phpMyAdmin does not have a password by default. You must make changes to the phpMyAdmin configuration file in order to specify a password.

Example Code:

Edit the phpMyAdmin file with an open text editor. Usually, you can find this file in the phpmyadmin directory of your XAMPP installation.

Look for the line that says “”:

Replace the empty string with your desired password:

Save the changes to the file.

After saving, restart the Apache server in XAMPP for the configuration to take effect.

Once you’ve done this, you’ll need to enter the new password when accessing phpMyAdmin.

3. Limit Access:

By limiting access to your XAMPP server, you can enhance security and prevent unauthorized access. You can restrict access to only trusted IP addresses, effectively locking down your local development environment.

Example Code:

  • Open the Apache configuration file, which is often found in the XAMPP installation’s apache directory under the httpd-xampp.conf file. It can be opened with a code editor or a text editor like Notepad.
  • In the configuration file, look for the <Directory “C:/xampp/phpMyAdmin”> section. This component manages phpMyAdmin access. If necessary, you can make similar adjustments to other directories.
  • Add the following lines within the <Directory> block to restrict access to a specific IP address (replace your_ip_address with the actual IP address you want to allow access):

Only IP addresses listed here will be able to access phpMyAdmin thanks to this code. Moreover, CIDR notation (e.g., can be used to define an IP address range.

  • Save the configuration file.
  • To restrict access to other directories, look for <Directory> blocks in the httpd-xampp.conf file that correspond to the directories you want to secure. Add the same <RequireAll> block as shown in step 3.
  • Restart Apache to apply the changes:

Your local development environment will now be more secure because your XAMPP server can only be accessed from the IP address or range that you have defined. Be remember to modify the setup as necessary to suit your unique use case.

4. Enable Firewall:

One essential security precaution for your XAMPP server is to enable a firewall. It assists with managing both inbound and outbound network traffic, restricting access to your server, and making sure that only designated ports are left accessible. This is an example of how to set up a firewall using code.

Example Code (for Linux systems with UFW – Uncomplicated Firewall):

This example makes use of UFW, a user-friendly Linux interface for iptables management. You have the ability to manage which IP addresses and ports are open on your server.

Install UFW (if not already installed):

Enable UFW:

Allow Necessary Ports: You should allow the ports you need for your local development, such as HTTP (port 80) and HTTPS (port 443).

Limit Access: To restrict access to only your local machine (assuming your local IP is, you can allow incoming connections from that IP address:

Deny Other Traffic: By default, UFW denies incoming traffic that doesn’t match any of the allow rules. To explicitly deny specific ports or IP ranges, you can use the deny rule:

Check UFW Status:

This command shows the current rules and their statuses.

Restart UFW (if needed):

Your XAMPP server’s security is now improved because your firewall is activated and you’ve restricted access to particular ports and IP addresses. Make sure the firewall rules are tailored to your unique development requirements.

6. Secure XAMPP Control Panel:

It is essential to secure the XAMPP Control Panel in order to stop unwanted users from accessing your local development environment. You can improve the general security of your XAMPP server by creating a strong password and turning off the control panel when not in use.

Example Code:

To secure the XAMPP Control Panel, you can set a strong password. Alternatively, if the control panel is superfluous for your work, you can disable it.

Setting a Password:

  • Open the XAMPP Control Panel.
  • Click on the “Config” button for Apache (httpd.conf).
  • This will open the Apache configuration file in a text editor.
  • Find the following lines in the configuration file:
  • Comment out the Allow from all lines by adding a # at the beginning of each line.
  • Add the following lines to set a password (replace "your_password" with your desired password):
  • Save the file and exit the text editor.
  • Open a terminal and run the following command to create a user and password:
  • You will be prompted to set a password for the specified user.
  • Restart Apache to apply the changes:

Disabling the Control Panel (if not needed):

  • If you don’t need the XAMPP Control Panel, you can disable it by renaming the control panel executable file:

This prevents the control panel from starting when you launch XAMPP.

7. Secure MySQL:

Because MySQL is known to have possible vulnerabilities and holds your database, it is imperative that you secure MySQL in XAMPP. You may strengthen MySQL’s security in your XAMPP setup by doing the following steps.

Example Code:

Change the Root Password:

  • Open a command prompt or terminal.
  • Navigate to the XAMPP installation directory.
  • Access the MySQL shell using the following command:
  • You may be prompted for a password. If there’s no password, just press Enter.
  • To change the root password, use this command (replace new_password with your desired password):

After changing the password, exit the MySQL shell:

Restart MySQL to apply the changes:

Create Separate User Accounts:

  • Instead of using the root account for all your databases, create separate MySQL user accounts with limited privileges for your databases.
  • To create a new MySQL user, use the following SQL command (replace new_user and user_password with your desired username and password):

Grant specific privileges to the user for your databases. For example, to grant all privileges on a database named your_database:

After creating the user and granting privileges, don’t forget to execute the FLUSH PRIVILEGES; command to apply the changes.

8. Restrict Remote Access to MySQL:

Remote access may be enabled by default by MySQL in XAMPP, which presents a security concern in a local development environment. MySQL can only be accessible from localhost when remote access is restricted, which improves the security of your XAMPP server.

Example Code:

  1. Description: To restrict remote access to MySQL, you need to modify the MySQL configuration file to bind MySQL to the localhost IP address (
  2. Open the MySQL Configuration File:
    • Locate the my.ini file in the xampp/mysql/bin directory.
    • Open the my.ini file in a text editor.
  3. Locate the bind-address Setting:
    • Search for the bind-address setting within the my.ini file.
    • By default, it may be set to, allowing remote connections.
  4. Change the bind-address Setting:
    • Change the bind-address setting to bind MySQL to localhost by setting it to
    • Modify the line to look like this:
  1. Save the my.ini File:
    • Save your changes to the my.ini file and close the text editor.
  2. Restart MySQL:
    • Restart the MySQL server to apply the changes:

As a result, your local development environment is now more secure overall because remote access to your MySQL server in XAMPP is now restricted to localhost only. This guarantees that your MySQL server cannot be accessed by outside parties.

8. Change Default phpMyAdmin URL

As a security precaution, the default phpMyAdmin URL should be changed to avoid automated assaults that aim to compromise it. You can increase the difficulty of potential attackers accessing your phpMyAdmin login page by customising the URL.

Example Code:

  1. To change the default phpMyAdmin URL, you’ll need to modify the Apache configuration file.
  2. Open the Apache Configuration File:
    • Navigate to your XAMPP installation directory.
    • Open the Apache configuration file, which is usually named httpd.conf or httpd-xampp.conf.
    • You can use a text editor to open the file.
  3. Find the Alias for phpMyAdmin:
    • Within the configuration file, look for the section that includes an Alias for phpMyAdmin.
    • It should look similar to this:

Change the Alias Path and URL:

  • Change the /phpmyadmin part to your desired URL, such as /mysecretadmin.
  • Also, make sure to change the path to the correct location of your phpMyAdmin directory.
  • For example:
  1. Save and Close the Configuration File.
  2. Restart Apache:
    • Restart the Apache server to apply the changes:

You can now visit your phpMyAdmin login page at the custom URL you provided, such as http://localhost/mysecretadmin. By making it more difficult for potential attackers to find your phpMyAdmin login page, changing the default URL enhances the security of your XAMPP setup.

9. Enable SSL for phpMyAdmin:

A security best practise for phpMyAdmin is to enable SSL (Secure Sockets Layer), particularly if you’re working with sensitive data. SSL secures data transmission by encrypting information as it moves between your browser and the server. This is how to set up SSL on XAMPP for phpMyAdmin.

Example Code:

You must set up the Apache web server to utilise a self-signed SSL certificate in order to enable SSL for phpMyAdmin. The procedures for a local development environment utilising a self-signed certificate are shown in this example.

10. Enable SSL for phpMyAdmin:

By turning on Secure Sockets Layer (SSL) for phpMyAdmin, you can further encrypt the data that is sent between your browser and the server. When handling sensitive data in your XAMPP environment, this is extremely crucial. phpMyAdmin can be enabled using the steps below.


This example shows how to use a self-signed certificate for a local development environment to enable SSL for phpMyAdmin. It is recommended to utilise a trusted SSL certificate from a Certificate Authority (CA) in production environments.

Generate a Self-Signed SSL Certificate:

  • Open a command prompt or terminal.
  • Navigate to your XAMPP installation directory.
  • Generate a self-signed SSL certificate using the following command:
  • You can adjust the paths to match your XAMPP installation location.
  • Follow the prompts to enter the required certificate information.

Edit the Apache Configuration File:

  • Navigate to the C:\xampp\apache\conf\extra directory (adjust the path based on your XAMPP installation).
  • Open the httpd-xampp.conf file in a text editor.

Ensure the paths in SSLCertificateFile and SSLCertificateKeyFile match the locations where you generated the SSL certificate.

  • Save and Close the httpd-xampp.conf File.
  • Restart Apache:
    • Restart the Apache server to apply the changes:

Access phpMyAdmin with SSL:

  • Open a web browser and access phpMyAdmin using https://localhost/phpmyadmin.
  • You may encounter a browser warning about the self-signed certificate; you can proceed to the page. The connection is now secure using SSL.

11. File Permissions:

Properly configuring file permissions is crucial for security in your XAMPP environment. Incorrect file permissions can lead to vulnerabilities and unauthorized access. Below, I’ll explain the basic concepts and provide example code to set file permissions.

  1. In a typical XAMPP setup, you have directories for your web applications (e.g., htdocs) and the XAMPP installation itself. Here’s how to set secure file permissions for these directories:
  2. For Web Application Directories:
    • Web application files and directories should typically have the following permissions:
      • Folders: 755 (rwxr-xr-x)
      • Files: 644 (rw-r–r–)
    • To apply these permissions, you can use the chmod command in your terminal or command prompt. For example:
  • The -R flag makes the command recursive, changing permissions for all files and subdirectories.
  1. For XAMPP Installation Directory:
    • The XAMPP installation directory, which contains system files, should have more restrictive permissions.
    • You can set the following permissions for system files:
      • Folders: 755 (rwxr-xr-x)
      • Files: 644 (rw-r–r–)
    • Use the chmod command as demonstrated earlier to set these permissions for XAMPP system files and directories.
  2. Secure Configuration Files:
    • Some files, like configuration files, should have even more restrictive permissions. For example, MySQL configuration files may contain sensitive information, and you should limit access:
      • Folders: 700 (rwx——)
      • Files: 600 (rw——-)
    • Apply these permissions to your sensitive configuration files.

12. Secure Your Web Applications:

Securing your web applications is critical to ensure that they are protected from potential security threats. This involves implementing various security measures and best practices. Below, I’ll provide you with a description and example code for securing your web applications in XAMPP.

  1. Description: Web application security is a multifaceted topic, but here are some key steps and best practices to enhance security in XAMPP:
  2. Sanitize User Input:
    • Always validate and sanitize user input to prevent common security vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
    • Use built-in PHP functions like filter_var and prepared statements in database queries to prevent SQL injection.
    • Example of input validation:

Secure File Uploads:

  • If your application allows file uploads, ensure that uploaded files are stored in a secure directory and that they cannot be executed.
  • Use PHP’s move_uploaded_file function to store uploaded files in a non-public directory.
  • Example code for handling file uploads:

Implement Access Control:

  • Use access control mechanisms to ensure that users can only access resources they are authorized to.
  • You can use PHP session management and role-based access control (RBAC) to define and enforce user roles and permissions.
  • Example code for checking user roles:

Protect Against Cross-Site Scripting (XSS):

  • Use output encoding to prevent XSS attacks. Tools like the htmlspecialchars function can help you escape user-generated content.
  • Example code to protect against XSS:

Regularly Update and Patch:

  • Keep your XAMPP components, web application frameworks, and libraries up to date to patch known vulnerabilities.
  • Periodically review and update your application’s code to address security issues.
  1. Secure Session Management:
    • Ensure that session data is secure by using secure cookies and properly configuring session management settings in PHP.
    • For example, set session.cookie_secure to true in your PHP configuration to ensure sessions are only transmitted over HTTPS.
  2. Protect Against SQL Injection:
    • Always use prepared statements or parameterized queries when interacting with your database to prevent SQL injection attacks.
    • Example of a prepared statement in PHP:

Secure Error Handling:

  • Avoid exposing detailed error messages to users in production. Customize error messages and log errors internally to prevent revealing sensitive information.
  • Example code for custom error handling:

13. Use HTTPS:

In your XAMPP system, you must enable HTTPS (Hypertext Transfer Protocol Secure) in order to secure data transferred between the web server and the client. This sample will show you how to set up HTTPS in a local development environment with a self-signed certificate.

  1. In a local development environment, you can configure HTTPS using a self-signed certificate. However, for production environments, obtaining a trusted SSL certificate from a Certificate Authority (CA) is recommended.
  2. Generate a Self-Signed SSL Certificate:
    • Open a command prompt or terminal.
    • Navigate to the xampp/apache directory in your XAMPP installation.
    • Use the following command to generate a self-signed SSL certificate:
  • Follow the prompts to enter the required certificate information.
  1. Edit the Apache Configuration File:
    • Navigate to the xampp/apache/conf directory.
    • Open the httpd.conf file in a text editor.
  2. Enable SSL Module:
    • Find and ensure that the SSL module is enabled in the httpd.conf file. Remove the # at the beginning of the line if it exists:

Configure SSL for the Default Virtual Host:

  • Scroll down in the httpd.conf file to the section where the default SSL virtual host is defined.
  • Add or modify the following lines to specify the location of your SSL certificate and key files:
  • Ensure the paths in SSLCertificateFile and SSLCertificateKeyFile match the locations where you generated the SSL certificate.
  1. Save the httpd.conf File.
  2. Restart Apache:
    • Restart the Apache server to apply the changes:

Use HTTPS to Access Your Applications:

  • Launch a web browser and go to https://localhost to access your apps.
  • You can continue visiting the page even if your browser issues a warning regarding the self-signed certificate. With HTTPS, the connection is now safe.

14. Session Management:

In XAMPP, session management done right is essential to web application security. Sessions are necessary for authentication and user-specific interactions, and they aid in the preservation of user data over several requests. Here’s an example of using code to improve security in your XAMPP installation using session management:

Example Code:

  1. In PHP, session management involves creating, initializing, and securing sessions for user interaction on your web applications.
  2. Session Start:
    • At the beginning of each PHP script, start the session using the session_start() function:

Session Initialization:

  • Store user data in the session after authentication. For example, after a user logs in, store their user ID:

Session Timeout:

  • Set a session timeout to automatically log out users after a period of inactivity. Configure it in your php.ini file:
session.gc_maxlifetime = 1440 // 24 minutes

Secure Your Sessions:

  • Secure your sessions by using the session_regenerate_id() function to prevent session fixation attacks. Call this function after the user logs in:

Destroy Session on Logout:

  • When a user logs out, destroy their session to prevent unauthorized access:

Session Fixation Prevention:

  • Generate a new session ID after successful login to prevent session fixation:

Use Secure Cookies:

  • Set cookies as secure by setting the session.cookie_secure parameter to true in your php.ini:

Enforce Same-Site Cookies:

  • Configure cookies to be “SameSite” to mitigate cross-site request forgery (CSRF) attacks. Set it in your php.ini:

Encrypt Session Data:

  • If you need to store sensitive data in sessions, encrypt the data before saving it:

15. Content Security Policy (CSP):

A security feature called Content Security Policy (CSP) limits the sources from which resources can be loaded into your web application, thereby assisting in the prevention of cross-site scripting (XSS) assaults. Using CSP in XAMPP is a useful security precaution. Here’s an example of configuring CSP using code to boost security in your setting.


  1. CSP headers define the sources from which content can be loaded, such as scripts, styles, and images, and restrict inline code execution. These headers help protect against various types of attacks, especially XSS.
  2. Configure CSP Header:
    • Open your web application’s .htaccess file or your site’s configuration file (e.g., httpd.conf).
    • Add the following code to configure a CSP header:
  • In the above code:
    • default-src 'self' specifies that content should be loaded from the same origin.
    • script-src 'self' allows scripts from the same origin and a trusted CDN.
    • style-src 'self' allows styles from the same origin and a trusted CDN.
    • img-src 'self' data: allows images from the same origin, inline data, and a trusted CDN.

Report-Only Mode:

  • You can start with a report-only mode to observe potential issues without enforcing the policy. Use the Content-Security-Policy-Report-Only header:
  1. Testing and Debugging:
    • During development, use browser developer tools to check the browser console for CSP violation reports. Adjust the policy as needed based on the reports.
  2. Enforce CSP:
    • Once you’re confident that your CSP policy is correctly configured and is not causing issues, switch from report-only mode to full enforcement:

16. Error Handling:

In your XAMPP setup, error handling must be done correctly for security. It assists in safeguarding your online apps by preventing the disclosure of private data and offering suitable solutions for various fault kinds. Here’s an example of using code to add error handling to your XAMPP setup to increase security.


  1. Error handling in PHP can be done using various methods, including custom error handling, logging, and displaying user-friendly error messages.
  2. Custom Error Handling:
    • Create a custom error handler in your PHP code by defining a function that will handle errors and exceptions. For example:

Logging Errors:

  • You can log errors to a file for later analysis. For example:
  • This code logs errors to a file named “error.log” in the same directory.

Displaying User-Friendly Error Messages:

  • Display user-friendly error messages to visitors by catching exceptions and displaying a relevant message. For example:

Configure PHP Error Reporting:

  • Adjust PHP’s error reporting level in your PHP configuration (php.ini) to control which types of errors are displayed or logged. For example, you can set:
  • This configuration will show all errors except notices and warnings.

Avoid Displaying Detailed Errors in Production:

  • In production environments, disable detailed error messages. Set display_errors to Off in your PHP configuration:

Use HTTP Status Codes:

  • Return appropriate HTTP status codes (e.g., 404 for not found, 500 for internal server errors) to indicate the nature of the error to clients.

17. Secure Configuration Files:

API keys and other sensitive data, such as database credentials, are frequently included in configuration files. Preserving the security of your XAMPP setup requires that you secure these files. Here’s an illustration of how to strengthen security by using code and a description to safeguard configuration files.

Example Code:

  1. In this example, we’ll discuss securing configuration files by moving them outside the web root and using appropriate file permissions. We’ll consider a configuration file named config.php.
  2. Move Configuration Files:
    • Create a directory outside your web root (e.g., /config/) to store configuration files.
    • Move your config.php file to this directory. This ensures that the configuration file is not directly accessible via a web request.
  3. Example Directory Structure:
    • Your directory structure may look like this:

Set Appropriate File Permissions:

  • Configure file permissions to restrict access to the configuration file. For instance, you can set the permissions to allow read and write access only to the owner (you), making it inaccessible to others.
  • You can set these permissions using the chmod command in your terminal or command prompt. For example:

The 600 permission means that the owner can read and write, but others have no permissions.

Access Configuration Data:

  • In your application, include the configuration file using its absolute path:

Protect Database Credentials:

  • In your config.php file, store sensitive data like database credentials securely. For instance:

Accessing Configuration Data:

  • Access configuration data as needed in your application, such as when connecting to the database:
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
5 months ago

Spot on with this write-up, I honestly feel this web site needs far more attention. I’ll probably be back again to read more, thanks for the info!

Would love your thoughts, please comment.x