WampDeveloper is secured and ready for production deployment out-of-the-box.
There are just a couple of things to be aware of…
While MySQL can only be access directly from the local system (it’s bound to 127.0.0.1), it can be accessed indirectly via any phpMyAdmin URL -
The indirect access is currently secured this way:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow'; $cfg['Servers'][$i]['AllowDeny']['rules'] = array( // deny everyone by default 'deny % from all', // allow all users from the local system 'allow % from localhost', 'allow % from 127.0.0.1', 'allow % from ::1', // allow all users from the server IP (commented out) // 'allow % from SERVER_ADDRESS', // allow user root from local system 'allow root from localhost', 'allow root from 127.0.0.1', 'allow root from ::1', // allow user root from local network 'allow root from 10.0.0.0/8', 'allow root from 172.16.0.0/12', 'allow root from 192.168.0.0/16', 'allow root from fe80::/10', // IPv6 Link-local Addresses 'allow root from fc00::/7', // IPv6 Unique Local Addresses // add more usernames and their IP (or IP ranges) here - );
A) The user “root” has *no password set*, but this account is restricted and can *only* be accessed from the local system and the local network (as listed above). *If you do set the password for this account, do so for all root accounts (host: localhost, ::1, 127.0.0.1) and update file WampDeveloper.xml with the new password.
B) All other users are also either restricted to local access only, or just denied access all-together (as above). *To open this up, you have to edit the above file and set the proper permissions in the above code (example: ‘allow user-name-here from 127.0.0.1′).
C) There is sometimes 1 MySQL account called “Any” which does allow anyone that can get to MySQL to see (but not modify) the databases. You can safely delete this account if it exists.
AWStats Website Analytics/Statistics
Website statistics can be accessed by anyone from the local network.
(*substitute your domain name for www.example.com)
AllowAccessFromWebToFollowingIPAddresses="127.0.0.1 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255"
Each publicy accessable directory that does not contain an index.html or index.php file, will default to displaying an “Index” (auto generated file + directory listing) of that location. To remove “Indexes”…
Add into each website’s top-level .htaccess file, line -
VirtualHost, htaccess, and Other Templates
The C:\WampDeveloper\Resources folder contains templates that are used for each new website’s VH (HTTP and SSL) and .htaccess files when a website is created/added. You can edit these templates to meet your specifications.
Securing PHP against 99% of the attacks
Disable most commonly exploited PHP functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
This will stop most of the exploits that would try to execute something on the system, without preventing normal scripts and webapps from working.
Restrict opening of files in scripts
Website VirtualHost(s) -
php_admin_value open_basedir "C:/WampDeveloper/Temp;C:/WampDeveloper/Websites/domain.name/webroot/"
This will restrict the locations that can be opened by PHP’s include(), require(), fopen() and other similar functions – to the website’s specific DocumentRoot folder and the general Temporary directory.
By using php_admin_value you are also preventing open_basedir from being reset via .htaccess files and at runtime via ini_set().
Note that using open_basedir comes at a cost. You will not be able to modify php.ini realpath_cache_size value for performance gains.
(*using php_value/php_admin_value does not work under PHP-FCGI)