IanBo wrote:How do I make security good enough to remain personally unhacked [I don't think I'll need SSL because I can sell through clickbank, ebay, etc.]?
The best way to remain unhacked is to uninstall XAMPP. It's insecure by design (bad design IMHO).
If you insist on plugging it into the internet, at least read this first:
http://robsnotebook.com/xampp-security-hardeningAnd, whatever else you do:
PUT A @^*!@@! PASSWORD on MySQL root.
Hit your site from an external IP. If you can get to any of these, you are apt to be hacked:
http://<your site>/phpmyadmin <-- If you don't get prompted for a password, you
will be hacked.
http://<your site>/webalizer <-- Google hackers best friend
http://<your site>xampp <-- no need for this to be on the net.
http://<your site>/xampp/phpinfo.php <-- way too much information.
http://<your site>/cgi-bin/printenv.pl <-- More way too much information.
If someone manages to put a .PHP file somewhere on your site, and they can get to it from the internet, here's what happens:
They can run just about any command they want with the PHP eval() command
They can see your ENTIRE MACHINE if they can do an eval()
There are no limits from here.
There are REALLY no limits if you aren't behind a good firewall. No firewall + Phpmyadmin access ==> remote desktop access to your machine from anywhere in the world.
So yes, you should be afraid....very...very afraid.
Regards,
XamppHacker (Because it's so easy, that's why)