This guide will explore some of the security reasons why you should never use XAMPP on your production server for hosting or deploying PHP-based applications.
Why Use XAMPP for Development?
XAMPP is one of the most widely used LAMP stacks for developing PHP-based applications. It consists of an Apache server, MariaDB database, and various scripts associated with PHP and Perl.
Since it is cross-platform, open-source, and easy to set up, it is one of the best tools for beginners who are starting with PHP-based web app development.
Why You Shouldn't Use XAMPP for Production
However, XAMPP is not recommended for use on a production server because of the following security reasons.
1. No Password for the Database Administrator
A password is crucial if you have a dynamic website with a database. The password for the database administrator on XAMPP is not set by default which can lead to many security problems.
- Hackers can gain access to your entire database and modify anything at will because the root user has read, write, and execute permissions.
- Anyone with access to your database can view and copy all your confidential user and company information including copying the entire database.
- Most systems nowadays rely on databases. In case the database gets deleted or becomes inaccessible, your system will essentially be brought down.
2. MySQL Can Be Accessed Over a Network
XAMPP uses MySQL or Maria DB as the database service. Unfortunately, the MySQL daemon is easily accessible over the network which is very handy if you are developing websites on a local PC but is not ideal for production.
Even if you use a firewall to limit access, it may not completely secure your database from being accessed.
3. ProFTPD Uses a Known Password
ProFTPD is the default FTP (File Transfer Protocol) client used by XAMPP. It is a known secret that the default password for this is set to "lampp". This means that users can easily gain access to all your static HTML files or web pages.
Hackers can copy your static web pages to build a fake site that is similar to yours and try to extort valuable information from your users. Also, hackers can inject malicious code into the fake or duplicate site infecting network computers in the process.
4. The Local Mail Server Is Not Secure
On Windows, XAMPP uses Mercury as the default mail server. Unfortunately, the password is also well known, which can make it easier for malicious users to gain access to your emails.
With access to your emails, hackers can send malicious code in emails, try to extort funds from unsuspecting users, or ruin the reputation of your company by sending improper emails to the customers.
Hardening Your XAMPP Installation
If you want to make your XAMPP installation more secure, you can run the following command if XAMPP is running on a Linux server:
sudo /opt/lampp/lampp security
On Windows, you can use the URL: https://localhost/security to fix some security issues. Note that, even if you make the aforementioned configurations, the security loopholes associated with FileZilla and Mercury will still not get fixed.
XAMPP Alternatives That You Can Try
XAMPP is a great tool for setting up a PHP development environment whether you are using Windows, macOS, or Linux. However, it is not secure enough to be used on a production server.
Most administrators use a native LAMP stack on Linux, or IIS on Windows production servers which offer a more secure way of deploying PHP applications. If you're using Windows, consider creating a WAMP development environment using WampServer.