WampDeveloper is secured and ready for production deployment out-of-the-box.
There are just a couple of things to be aware of…
MySQL Accounts
While MySQL can only be access directly from the local system (it’s bound to 127.0.0.1), it can be accessed indirectly via any phpMyAdmin URL -
http://domain.name/phpmyadmin
The indirect access is currently secured this way:
File: C:\WampDeveloper\Tools\phpMyAdmin\config.inc.php
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array(
'deny % from all',
'allow % from 127.0.0.1',
'allow root from localhost',
'allow root from 127.0.0.1',
'allow root from 10.0.0.0/8',
'allow root from 172.16.0.0/12',
'allow root from 192.168.0.0/16',
);
A) The user “root” has *no password set*, but this account is restricted and can *only* be accessed from the local system and the local network (as listed above). *If you do set the password for this account, do so for all root accounts (host: localhost, ::1, 127.0.0.1) and update file WampDeveloper.xml with the new password.
B) All other users are also either restricted to local access only, or just denied access all-together (as above). *To open this up, you have to edit the above file and set the proper permissions in the above code (example: ‘allow user-name-here from 127.0.0.1′).
C) There is usually 1 MySQL account called “Any” which does allow anyone that can get into MySQL to see (but not modify) the databases. You can safely delete this account if it exists.
AWStats Website Analytics/Statistics
Website statistics can be accessed by anyone from the local network.
Current Settings…
File(s):
C:\WampDeveloper\Tools\awstats\wwwroot\cgi-bin\awstats.www.example.com.conf
(*substitute your domain name for www.example.com)
AllowAccessFromWebToFollowingIPAddresses="127.0.0.1 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255"
Directory Index
Each publicy accessable directory that does not contain an index.html or index.php file, will default to displaying an “Index” (auto generated file + directory listing) of that location. To remove “Indexes”…
Add into each website’s top-level .htaccess file, line -
Options -Indexes
VirtualHost, htaccess, and Other Templates
The C:\WampDeveloper\Resources folder contains templates that are used for each new website’s VH (HTTP and SSL) and .htaccess files when a website is created/added. You can edit these templates to meet your specifications.