XAMPP is a great development environment for PHP-based apps. But it's not well suited for a production server. Here's why.

Hacker staring at pc ready to jump

This guide explains some of the security reasons why you should never use XAMPP on your production server to host or deploy PHP-based applications.

Why use XAMPP for development?

XAMPP is one of the most widely used LAMP stacks for developing PHP-based applications. It consists of an Apache server, a MariaDB database and various scripts associated with PHP and Perl.

Because it's cross-platform, open-source, and easy to set up, it's one of the best tools for beginners starting out in PHP-based web app development.

Why you shouldn't use XAMPP for production

However, XAMPP is not recommended for use on a production server for the following security reasons.

1. No password for the database administrator

A password is crucial when you have a dynamic website with a database. The password for the database administrator on XAMPP is not set by default, which can lead to many security problems.

  • Hackers can access your entire database and change everything at will because the root user has read, write and execute permissions.

  • Anyone with access to your database can view and copy all of your sensitive user and company information, including copying the entire database.

  • Most systems these days rely on databases. In the event that the database is deleted or becomes inaccessible, your system will essentially shut down.

2. MySQL can be accessed over a network

XAMPP uses MySQL or Maria DB as a database service. Unfortunately, the MySQL daemon is easily accessible over the network, which is very useful if you are developing websites on a local PC, but not ideal for production.

Even if you use a firewall to restrict access, your database may not be completely unprotected.

More information: Become a web development and MySQL expert

3. ProFTPD uses a known password

ProFTPD is the standard File Transfer Protocol (FTP) client used by XAMPP. It is a known secret that the default password for this is set to "lampp". This means that users can easily access any of your static HTML files or web pages.

Hackers can copy your static web pages to create a fake website similar to yours and try to extort valuable information from your users. Hackers can also inject malicious code into the spoofed or duplicated site, infecting network computers in the process.

4. The local mail server is not secure

Under Windows, XAMPP uses Mercury as the standard mail server. Unfortunately, the password is also known, which can make it easier for malicious users to access your e-mails.

By accessing your email, hackers can send malicious code in email, try to extort money from unsuspecting users, or ruin your company's reputation by sending inappropriate emails to customers.

Hardening your XAMPP installation

If you want to make your XAMPP installation more secure, you can run the following command when XAMPP is running on a Linux server:

sudo / opt / lampp / lampp security

On Windows, you can use the URL https: // localhost / security to fix some security issues. Note that the security holes associated with FileZilla and Mercury will not be fixed even if you make the above configurations.

Related: How to Set Up a LAMP Environment Using XAMPP on Ubuntu

XAMPP alternatives to try

XAMPP is a great tool for setting up a PHP development environment whether you are using Windows, macOS, or Linux. However, it is not secure enough to be used on a production server.

Most administrators use a native LAMP stack on Linux or IIS on Windows production servers, which are a more secure way to deploy PHP applications. If you are using Windows, you should create a WAMP development environment with WampServer.

PHP code editor programming

How to set up your own WAMP server

The WAMP server is the easiest and most uncomplicated way to set up Apache, MySQL and PHP on Windows to host a website.

Continue reading

About the author

Mwiza Kumwenda
(31 published articles)

Mwiza is a professional developer of software and writes extensively on Linux and front-end programming. His interests include history, economics, politics, and corporate architecture.

More
By Mwiza Kumwenda

Subscribe to our newsletter

Subscribe to our newsletter for tech tips, reviews, free e-books, and exclusive offers!

Click here to subscribe