This guide explains some of the security reasons why you should never use XAMPP on your production server to host or deploy PHP-based applications.
Why use XAMPP for development?
XAMPP is one of the most widely used LAMP stacks for developing PHP-based applications. It consists of an Apache server, a MariaDB database and various scripts associated with PHP and Perl.
Because it’s cross-platform, open-source, and easy to set up, it’s one of the best tools for beginners starting out in PHP-based web app development.
Why you shouldn’t use XAMPP for production
However, XAMPP is not recommended for use on a production server for the following security reasons.
1. No password for the database administrator
A password is crucial when you have a dynamic website with a database. The password for the database administrator on XAMPP is not set by default, which can lead to many security problems.
Hackers can access your entire database and change anything at will because the root user has read, write and execute permissions.
Anyone with access to your database can view and copy all of your sensitive user and company information, including copying the entire database.
Most systems these days rely on databases. In the event that the database is deleted or becomes inaccessible, your system will essentially shut down.
2. MySQL can be accessed over a network
XAMPP uses MySQL or Maria DB as a database service. Unfortunately, the MySQL daemon is easily accessible over the network, which is very useful if you are developing websites on a local PC, but not ideal for production.
Even if you use a firewall to restrict access, your database may not be completely unprotected.
3. ProFTPD uses a known password
ProFTPD is the standard File Transfer Protocol (FTP) client used by XAMPP. It is a known secret that the default password for this is set to “lampp”. This means that users can easily access any of your static HTML files or web pages.
Hackers can copy your static web pages to create a fake website similar to yours and try to extort valuable information from your users. Hackers can also inject malicious code into the spoofed or duplicated site, infecting network computers in the process.
4. The local mail server is not secure
Under Windows, XAMPP uses Mercury as the standard mail server. Unfortunately, the password is also known, which can make it easier for malicious users to access your email.
By accessing your email, hackers can send malicious code in email, try to extort money from unsuspecting users, or ruin your company’s reputation by sending inappropriate emails to customers.
Hardening your XAMPP installation
If you want to make your XAMPP installation more secure, you can run the following command when XAMPP is running on a Linux server:
sudo /opt/lampp/lampp security
On Windows, you can use the URL https: // localhost / security to fix some security issues. Note that the security holes associated with FileZilla and Mercury will not be fixed even if you make the above configurations.
XAMPP alternatives to try
XAMPP is a great tool for setting up a PHP development environment whether you are using Windows, macOS, or Linux. However, it is not secure enough to be used on a production server.
Most administrators use a native LAMP stack on Linux or IIS on Windows production servers, which are a more secure way to deploy PHP applications. If you are using Windows you should consider building a WAMP development environment with WampServer.
The WAMP server is the easiest and most uncomplicated way to set up Apache, MySQL and PHP on Windows to host a website.
About the author