Securing WampServer.

Ten easy steps to make a WampServer installation more secure.

Step 1 - Create two ordinary domain accounts (one for apache, one for mysql).
This is so we can run two new services under accounts with limited privileges.

Step 2 - Run the installer, such as "WampServer...apache...mysql...php...exe".
It will have different version numbers instead of all those "..."
The installer will create the two new services - "wampapache" and "wampmysqld".

Step 3 - change the account under which each of these two wamp services runs
to one or the other of the two domain accounts we just created.
(can be done in services.msc)

MySQL - must set root password.

Step 4 - start WampServer
(may trigger firewall alerts for the two services: httpd, mysqld)

Step 5 - start command line session, log in to MySQL and delete users, set passwords.

Note that you can actually bring up a MySQL console (DOS shell) from the wampserver menu.
Just click on the half-circle icon in the system tray.
c:\wamp\bin\mysql\mysql5.1.36> bin\mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.36-community-log MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>

mysql> use mysql
mysql> select user, host, password from user;
+------+-----------+----------+
| user | host      | password |
+------+-----------+----------+
| root | localhost |          |
| root | 127.0.0.1 |          |
+------+-----------+----------+
2 rows in set (0.00 sec)

mysql>


Delete any remote root account:  
DELETE FROM user WHERE user = 'root' AND host = '%';
FLUSH PRIVILEGES;

Delete any anonymous (nameless) account:
DELETE FROM user WHERE user = '';
FLUSH PRIVILEGES;

Set AND encrypt the password for our two local root accounts:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('youdecide');
FLUSH PRIVILEGES;
SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('youdecide');
FLUSH PRIVILEGES;

check your work:
mysql> use mysql
Database changed
mysql> select user, host, password from user;
+------+-----------+--------------------------------------------+
| user | host      | password                                   |
+------+-----------+--------------------------------------------+
| root | localhost | [incomprehensible alphanumeric expression] |
| root | 127.0.0.1 | [incomprehensible alphanumeric expression] |
+------+-----------+--------------------------------------------+
2 rows in set (0.00 sec)

mysql> quit
Step 6 - stop the wamp server, so we can edit configuration files.

PhpMyAdmin configuration.

Step 7 - edit the PhpMyAdmin config file to require password, etc.

Open this file, so we can edit it:
  c:\wamp\apps\phpmyadmin3.2.0.1\config.inc.php
Replace these four lines:
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';
$cfg['Servers'][$i]['AllowNoPassword'] = true;

with these five (we are adding one extra):
$cfg['Servers'][$i]['auth_type'] = 'http';
$cfg['Servers'][$i]['user'] = '';
$cfg['Servers'][$i]['password'] = '';
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['LogoutURL'] = 'http://localhost/';
What we did:
Changed 'auth type' from 'config' to 'http' (more secure).
Changed 'AllowNoPasswordRoot' from true to false.
The result will be a login dialog box when you go to phpmyadmin.

Finally, we added a line to set a LogOutURL.
Without it, when you "exit" phpmyadmin, you are not really exiting.
You are only deleting the cookie that was created when you logged in.
This will result in being prompted again for your credentials.
Providing them again only recreates the cookie, leaving you
exactly where you were when you clicked 'EXIT' (or 'LOGOUT').

By providing a LogOutURL, you land on a new page, which was
probably what you expected to happen when you clicked 'Exit'.

You can watch the directory "c:\wamp\tmp", when you log in and out
of phpmyadmin, to see how the cookie gets created and then deleted.

The official documentation for this feature is here.

php.ini configuration

Step 8 - php.ini change (only do this if a different port is needed for MySQL)

There are two "php.ini" files in the wamp directory.
Do NOT pick the one in the PHP directory.
The one we need is in the Apache directory: c:\wamp\bin\apache\Apache2.2.11\bin\php.ini
You can change the port to 3307 or 3308, if you want/need to:

mysqli.default_port = 3306

httpd.conf configuration

Step 9 - httpd.conf changes (in c:\wamp\bin\apache\Apache2.2.11\conf\httpd.conf)
Change #1 (of 2) to disregard remote requests
#Listen 80
Listen 127.0.0.1:80

Change #2 (at end, add two lines, for error reporting)
Include "c:/wamp/alias/*"
php_flag  display_errors        on
php_value error_reporting       2047

MySQL configuration

Step 10 - my.ini (in c:\wamp\bin\mysql\mysql5.1.36\my.ini)

We can add a bind-address to limit who MySQL listens to, and
we can change the port it listens at, in 3 places, if needed.
- useful if you have another instance of MySQL using 3306.
[mysqld]
port=3306 (can change to 3307 or 3308 here, and in two more places)
bind-address=127.0.0.1
That's it, we are done!
You can now start Wampserver and point your browser to localhost.

The home page that comes up under http://localhost is the index.php page in the c:\wamp\www folder.
Any subfolders you create under here for your pages will be listed as "Your Projects" on index.php.

Adding php5 to your php7 WampServer

You can add php5 to this installation by selecting an appropriate php5 "Addon" module to download.
If you do, you will also need a separate Apache "Addon" that is compatible with php5.

You will now have a second set of "php.ini" and "httpd.conf" files you need to edit as described above.

You can then easily switch between the two different apache and php modules
from the wampserver menu in the system tray.

There is very little complexity involved in this arrangement.

You can put your php5 pages in a separate sub-folder under wwww, so you know which pages are
php5 and which are php7, since all your php pages will differ only by what php version the actual
php code inside those pages is using.

The wampserver sees them all as either php5 or php7, depending on which module you start.



Valid XHTML 1.0 Transitional Valid CSS!
 

MCP icon