I'm writing a series of articles in my blog on how to secure XAMPP. It is turning out to be a big project, so I'm publishing pieces of it at a time as I write them.
My most recent article is about removing folders and pages that you don't need. See it here:
http://robsnotebook.com/xampp-remove-folders-deny-access
My first article is about how the "forbidden" folder works:
http://robsnotebook.com/xampp-forbidden
Rob