Wamp stands for "Windows, Apache, MySQL, and PHP". It is a variation of LAMP for Windows systems and is often installed as a software bundle (Apache, MySQL, and PHP). It is often used for web development and internal testing, but may also be used to serve live websites.
In this context, we shall look into how to secure a wamp server.
Different methods to secure a wamp Server ?
To secure a wamp server, you need to apply the following tips as given below. Before we proceed, restart the wamp server after configuration.
1. Hide server signature
In order to prevent bad guys from mining the server signature, hide it.
For doing that, open httpd-default.conf file and change the parameters as given below:
Here, we are setting ServerTokens to Prod so that Apache will set the response headers as simply:
2. Directories/files outside the document root must not be served
Ensure that the directories/files outside the document root (website) are not served. For that, open the httpd.conf file and verify the content of the directory tag is as below:
Deny from all
Require all denied
Allow from all
The above code assumes the correct document root for your WAMP server is C:/apache2/htdocs/. However, if your document root is different, modify the same in the above code.
3. To prevent DoS attacks, reduce time out
To fix Denial of service (DoS) attacks, you need to change the timeout directive within the httpd-default.conf file from the default of 300 to 60. Access the httpd-default.conf file and search the below code:
and change it to:
Now, restart the Apache services.
4. Set MySQL password
By default, the MySQL set in the Wamp Servers come with no password.
Here are the steps to set the password:
i. First, left-click the WAMP icon in the system tray.
ii. Now select MySQL followed by accessing MySQL console.
iii. After the console window opens and asks for a password, hit enter.
iv. Now from the command line, enter SET PASSWORD FOR root@localhost=PASSWORD(‘password’); (password is the new password to be set).
v. Finally, hit enter.
vi. If the password change is successfully done, then you will see a query OK. Close the MySQL console window and access it again.
vii. Now when you are prompted for a password, enter the password and you must land at the MySQL prompt.
5. Change folder permissions in your website
The folders must have Read and Execute permissions excluding only some folders must have Write permissions.
In order to check what user runs Apache, open Windows Task Manager, and click the Details tab. In the User name column, you can see the user. Usually, it will be the SYSTEM user.
6. Set phpMyAdmin password
In order to set the password, edit the phpMyAdmin config file.
Open the file C:\wamp\apps\phpmyadmin22.214.171.124\config.inc.php.
Replace these four lines:
$cfg[‘Servers’][$i][‘auth_type’] = ‘config’;
$cfg[‘Servers’][$i][‘user’] = ‘root’;
$cfg[‘Servers’][$i][‘password’] = ”;
$cfg[‘Servers’][$i][‘AllowNoPassword’] = true;
with these lines given below:
$cfg[‘Servers’][$i][‘auth_type’] = ‘http’;
$cfg[‘Servers’][$i][‘user’] = ”;
$cfg[‘Servers’][$i][‘password’] = ”;
$cfg[‘Servers’][$i][‘AllowNoPassword’] = false;
$cfg[‘Servers’][$i][‘LogoutURL’] = ‘http://localhost/’;
Here we’ve changed ‘auth type’ from ‘config’ to ‘http’ which is more secure. Also, we changed ‘AllowNoPasswordRoot’ from true to false. The result will be a login dialog box when you go to phpmyadmin.
Finally, we added a line to set a LogOutURL so that you land on a new page i.e a exit page after clicking on the ‘Exit’.
7. MySQL configuration in C:\wamp\bin\mysql\mysql5.1.36\my.ini
Add a bind-address to limit who MySQL listens to, and we can change the port it listens at.
port=3306 (can change to any other port)
Finally, this way we have secured the Wamp Server.