WampServer is a popular development environment for web applications, allowing users to easily set up a PHP, MySQL, and Apache stack on their machines. While it excels at facilitating local development, some security measures need to be in place to ensure WampServer is ready for production deployment. This guide will walk you through the essential steps to harden your WampServer setup, making it more secure for serving live websites.
Disabling ETags and Server Signature
First, let's address two issues that can reveal sensitive information about your server setup: ETags and the Server Signature.
Etags, short for entity tags, are used to identify versions of web resources. Although they serve a purpose in development environments, they can be exploited by attackers to guess the existence of files or directories. Disable ETags by adding the following line to your Apache configuration file (found at wamp\apache\conf\httpd.conf):
FileETag None
Restart your Apache service to apply the change.
The Server Signature, displayed in the HTTP header, often includes the server software version, which can be a valuable piece of information for potential attackers. To conceal this data, insert the following directive in your httpd.conf file:
ServerSignature Off
Once more, restart Apache to put this tweak into effect.
PHP.ini Secure Flags and Secure Cookies
Now, let's focus on PHP configuration to ensure secure flags and cookies are employed. The wamp\bin\php\phpX.Y.Z\php.ini file (replace X.Y.Z with your PHP version) requires modifications to implement these security measures.
Secure Flags: Locate the directive [security] and add the following lines:
expose_auth_path = Off
log_xts_failed_sessions_in_error_log = On
This will prevent PHP from exposing authentication paths and log failed XTS (ecdh a128-cmAES256) session keys for troubleshooting purposes.
Secure Cookies: In the [cookie] section, set the following settings:
sess.use_only_cookies = 1
mime.output_encoding = System
mimeéŁentry_encoding = System
These configurations ensure that PHP only uses cookies for session transmission and encode all responses with the server's default character set.
After updating your php.ini file, restart the WAMP server to apply the changes.
Disabling Trace Method in Apache
The Trace method, when enabled, allows clients to inspect the server's internals. In a production setting, there's no valid reason to expose this functionality, so let's disable it:
In your wamp\apache\conf\extra\httpd-wmp.conf file, add the following lines:
<Directory "C:/path/to/your/webroot">
Options -Includes -Indexes -FollowSymLinks +MultiViews
AllowOverride None
Require all denied
</Directory>
Replace C:/path/to/your/webroot with the actual path of your web root directory.
Later in the same file, locate the <Directory /> block and add the TraceEnable off directive:
<Directory />
AllowOverride None
Require all denied
<IfModule mod_trace_module.c>
TraceEnable off
</IfModule>
</Directory>
Restart Apache to incorporate these modifications.
Disabling Server Tokens
Another piece of information that can aid attackers is the HTTP server tokens, which include the server software version and other details. To remove this unnecessary data, uncomment the following line in your wamp\apache\conf\httpd.conf file:
ServerTokens Prod
This will display the "Apache" string as the server token, without any version information. Restart Apache to make the change effective.
Securing the Root PHPMyAdmin Account
Finally, let's focus on securing the root account of PHPMyAdmin, the web-based database management tool. An unsecured root account is an open invitation for unauthorized access to your sensitive database data.
Access PHPMyAdmin via your web browser by navigating to http://localhost/phpmyadmin (or your custom URL if configured).
Click on the "Databases" tab and then select the "mysql" database.
In the SQL query field, execute the following command to set a strong password for the root user:
UPDATE mysql.user SET password=PASSWORD('your_strong_password') WHERE user='root';
FLUSH PRIVILEGES;
Replace your_strong_password with a secure, complex password.
For added security, consider creating a separate user account with limited privileges for managing your databases. This will reduce the risk if the root account is compromised.
In conclusion, by following these steps to secure Apache, PHP, and PHPMyAdmin, you'll significantly harden your WampServer setup for production use. Remember to regularly update your server software, monitor your logs, and stay informed about emerging security vulnerabilities to maintain a robust and secure web environment. With the right precautions in place, your WampServer can serve as a reliable foundation for your online applications.