Skip to content

Securing a XAMPP installation (for local, single-PC use) in 2 steps…

…and without setting passwords everywhere.

The XAMPP security page (if you already have XAMPP running, you can access it there: isn’t very helpful when it comes to actually fixing the problems it reports. At best it will point you to a place where to set tons of passwords for everything. But who needs annoying passwords when you can just use network restrictions to achieve the same (but more comfortable) security?

Note that I’ll just deal with the stuff in XAMPP Lite, so Apache and MySQL, not other things that I’ve never used. Also note that I’m dealing with the case where you want to restrict access to yourself only, ie to no other computer than yours, so to localhost ( For the cases where you also want to allow access from some other computers, you’ll probably have to use .htaccess files for Apache (one for every folder: htdocs and phpmyadmin) and a password for MySQL. Note that it’s just a guess, I didn’t actually try that.

Securing Apache

We’ll simply configure Apache to listen only on Open apache/conf/httpd.conf in a plain text editor, find the line Listen 80 and replace it with Listen That’s it 🙂 (don’t forget to restart Apache, though)

Securing MySQL

Same as for Apache, we’ll configure MySQL to listen only on Open mysql/bin/my.ini, find the line #bind-address="" and uncomment it. If the line can’t be found, add it manually into the [mysqld] section.
Note that if you need a more complex set up, like allowing access from specific IPs, you can edit the privileges table using phpMyAdmin (instead of using bind-address).

This post on Apache Friends has been helpful and actually provides some alternative solutions, although skip-networking might be a little hard-core, particularly if you’re on Windows: Apache Friends support forums – XAMPP accessible from local LAN

NB: this is an old draft that for some reason I never published. 7 years and a half later, after a quick read, it seems somewhat finished anyway so I’m publishing it as is (setting its date as the last actual edit’s date), in an effort to finally purge my draft folder ^^

Posted in MySQL, security, web development.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA