Many people are recommend not using XAMPP for a server production. In fact, using XAMPP as an environment in the production phase makes website development very easy. But XAMPP is not the right choice for this phase. But, XAMPP is not the right choice for this phase.
In the web development life cycle, if you are developing a website, you may already be familiar with the production phase which is the stage where the website that has been created is then published to the public so that everyone can access it.
To manage all the data and assets of a website, XAMPP is one of several web server/environment options that can be used. XAMPP is indeed great as an environment during the development phase.
However, once you enter the production phase, it is advisable not to use XAMPP as the web server. Why is that? Here are some reasons why you should not use the XAMPP web server application.
Table of Contents
Some Reasons Not to Use XAMPP for a Server Production
Based on recommendations from the best website development services, it is advisable not to use XAMPP as a server production for security reasons.
Especially with the increasing cases where certain documents on a website can be accessed publicly using Google Dork techniques with specific queries.
Here are some reasons why you should not use XAMPP as a server production for your website.
1. No Password for MySQL Administrator
The first reason not to use XAMPP for a server production is the absence of a default password for the MySQL Administrator.
XAMPP uses MySQL as its database. During the initial MySQL configuration, the default MySQL username and password are ‘root’ and no password. An example of this can be seen below when configuring MySQL for WordPress.
You can also check through the User accounts tab in MySQL. There, you will see that the ‘root’ username does not have a password by default.
As a result, hackers can easily access your entire website database. They do this by searching for websites using Google Dorking methods, then access phpMyAdmin and enter the root username without a password.
After logging in, they can modify the contents of the MySQL database, as the root user has permissions to read, write, and execute.
Anyone who can access your website database can view and copy all user and company information, even confidential ones.
Additionally, most systems today store their data in databases. If that database is deleted or cannot be accessed, your web system is down.
2. Local Mail Server is Not Secure
Another reason why not to use XAMPP for a server production is still related to the issue of hacking vulnerabilities in the default Mail Server.
If you use Windows, the local mail server used by XAMPP is Mercury which is very useful for testing sending and receiving emails over the internet.
You can access it through the XAMPP Control Panel in the Mercury Module section. If you wanna view user credentials, open Manage User > there you will find the Admin Mail System Administrator user. If you open it, then by default you will not find Mail password there.
Testing can be done using Thunderbird, which is a free open-source mail client software developed by Mozilla. There, you can create an account with the username Admin without a password as follows.
If this user account is left as default settings, it would be easy to access your site’s email server. So, hackers can access any information in the emails.
3. Exposed XAMPP Directory Listing
By default, XAMPP’s directory listing can be accessed by anyone on the network. This is one of the reasons why you should not use XAMPP for a server production.
Directory Listing refers to the situation where your server displays folders and files of the website on the browser page. These folders and files should not be known to the public.
By opening access to the directory list, people can see the structure of your site or application. This allows them to find important and confidential directories or files.
For example, they could find files containing credentials, such as file config.php
, database.php
, atau credentials.txt
where information such as usernames and passwords are stored.
Therefore, using XAMPP as a environment production requires you to perform manual configuration to ensure that directory listing does not appear in the browser.
4. Error Pages Displaying Confidential Information
In developing an application or website, errors are common. When XAMPP is used in a development environment, displaying error information on the front-end helps developers identify or find the point of error.
Therefore, XAMPP’s default configuration which allows error pages like the ones shown below, speeds up the developer’s work in fixing errors.
However, when you use XAMPP for an environment production, error path information like the one above can become a vulnerability in your website.
By knowing these error paths, hackers can easily map out the website’s architecture. As a result, they can more easily locate files containing sensitive information.
The configuration for displaying error pages in XAMPP is controlled by the display_errors
and expose_php
which are On by default. You can check it in the php.ini file as follows:
Therefore, if you are not careful in closing these vulnerabilities, using XAMPP as a server production will be highly susceptible to security risks for your website.
5. XAMPP Dashboard Page is Easy to Access
Another issue you may encounter when using XAMPP as an environment production is that the XAMPP dashboard is easily accessible to the public by deafult.
The XAMPP dashboard makes it easy to access sensitive information and important pages so that the information can be used to find vulnerabilities in your website.
For example, if someone can access the XAMPP dashboard, then they will also be able to access the PHP page where where your server information details are there as shown in the following image:
Through the XAMPP dashboard, MySQL pages can also be accessed. Moreover, if the MySQL login page is not protected, it is certainly easy to access.
6. Server Specifications Accessible to the Public
Another vulnerability of using XAMPP as a server production is the exposure of server specifications that can be accessed publicly. An example is shown below:
To view server specifications, someone can simply perform Inspect Element > open Network > select one of the files > check the Server section. There, information on the server specifications used can be easily found.
Apart from that, on the error page, server specification information also appears as shown in the image below. This information can be misused for hacking.
For example, by knowing the version of Apache being used, someone could search for vulnerabilities specific to that server version.
Then it would be easier for them to hack by combining this with other vulnerabilities of XAMPP.
7. Some Functions Are Not Secure
XAMPP has the exec
, epassthru
, and shell_exec
functions enabled by default. These functions allow for the execution of programs or scripts embedded in a system.
You can check this in the php.ini
file where in the disable_functions
these three functions are not disabled, which means this is a security vulnerability.
You can also check this by creating .php
file containing the script below and saving it in the htdocs
.
<?php echo "<pre>"; var_dump(function_exists('exec')); var_dump(function_exists('passthru')); var_dump(function_exists('shell_exec')); echo "</pre>";
Next, you can open php
file through a browser. If it shows bool(true)
it means the exec
, epassthru
, and shell_exec
functions are enabled.
If a hacker manages to inject code into your PHP script while those three functions are enabled, they can execute commands on the server.
Alternative Web Servers for Production Other Than XAMPP
If you’re not using XAMPP for a server production, what types of web servers can you use? There are several other web servers, such as Nginx, Docker, WP Engine, and cPanel.
If you have already used XAMPP as a web server, you can migrate to a more secure web server technology. You can do this yourself or collaborate with a web developer like Tonjoo.
Ensuring website security is very important. Therefore, selecting technology for a environment production should not be taken lightly.
Updated on August 29, 2024 by Anisa K. Juniardi