Finally, a celebrity protest I can get behind! »
« That was a nice nap…
« Main
Hardening MAMP for easy, secure WordPress hosting on Mac

Posted by Johnathan at 2:56 pm, November 8, 2008

I just set up a new blog the other day using MAMP, the same Macintosh-Apache-MySQL-PHP distribution that this blog runs on.  And although the latest version is more than a year old, and they explicitly state that “MAMP was created primarily as a PHP development environment for Macintosh computer and should therefore not be used as Live Webserver for the Internet”, I’ve found it to be a capable solution for hosting a live WordPress blog provided you take a few simple steps to secure it.  Plus for backups and testing purposes, you can’t beat the convenience of having everything you need in the /Applications/MAMP folder.  So for the benefit of anyone who might be interested, here’s what I did to set up a blogging platform that’s both free and secure.

After downloading and dragging the MAMP folder to the Applications folder, launch the MAMP application (at /Applications/MAMP/MAMP) and click “Start Servers”.

The first thing to do is to change the MySQL root password (the following instructions pertaining to the root password are adapted from network0′s excellent guide, with a few necessary changes for the current version (1.7) of MAMP).  Open a terminal and run the following command:

/Applications/MAMP/Library/bin/mysqladmin -u root -p password your_choice_of_password

Next, edit the phpMyAdmin configuration file /Applications/MAMP/bin/phpMyAdmin/config.inc.php in your preferred text editor.  Change the line that says 

$cfg['Servers'][$i]['password']      = 'root';

to use your new password instead of root.  This will allow you to use phpMyAdmin to create and administer your WordPress database, as well as any others you care to use.  

There are a couple of MAMP scripts that need to use your new MySQL root password as well:  /Applications/MAMP/bin/mamp/index.php and /Applications/MAMP/bin/stopMysql.sh.  In the first, change the second “root” in the line that says

$link = @mysql_connect(':/Applications/MAMP/tmp/mysql/mysql.sock', 'root', 'root');

to be your password.  In the second, change the “root” that’s part of “-proot” to your password in the line

/Applications/MAMP/Library/bin/mysqladmin -u root -proot --socket=/Applications/MAMP/tmp/mysql/mysql.sock shutdown

With all of these changes complete, you should still be able to use the MAMP application to start and stop MySQL, and phpMyAdmin (follow the link in the toolbar at http://localhost:8888/MAMP/ to launch (unless you’ve changed the MAMP default ports)) to administer MySQL databases.

In order to prevent other people from accessing the administrative virtual directories (/MAMP, /phpMyAdmin, and /SQLiteManager) in your website, we need to make a couple of changes to the /Applications/MAMP/conf/apache/httpd.conf file.  Make a backup copy of the existing file first, then open the httpd.conf file in a text editor.  Find each of the lines that say “Alias /SQLiteManager”, “Alias /phpMyAdmin”, and “Alias /MAMP”.  Under each of these lines will be a section that looks like

<Directory "/Applications/MAMP/somedirectory">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Change these sections to look like 

<Directory "/Applications/MAMP/somedirectory">
    Options Indexes MultiViews
    AllowOverride None
    Order deny,allow
    Allow from localhost
    Deny from all
</Directory>

and save the file.  Use the MAMP application to stop and restart the servers again to load these changes.  With this modification in place, you’ll be able to access these folders when browsing from the host server itself, but any attempt to view these from any other computer will return a 403 Forbidden error.

Now you’re ready to drop the latest WordPress distribution in /Applications/MAMP/htdocs, and follow the Famous 5-Minute Install instructions.  Janet Fouts at Macinstruct has a nice set of instructions highlighting MAMP-specific values for the wp-config.php file.  Customize WordPress to your heart’s content — there’s no end to the free documentation and suggestions out there.

If you want to serve your blog to the world, you’ll need a domain name and either a static IP address (my ISP only offers these for business accounts) or a dynamic IP address and an account with a IP tracking service (I’m a big fan of DynDNS; you can even use one of their domain names for free).  Additionally, you should use a .htaccess file to block unwanted bots.  But as far as getting a MAMP-Wordpress site up and running securely and in minimum time, I feel the above instructions will do the trick.  Does anyone else have any pointers for things I might be missing?  Please leave suggestions in the comments.




  • johnathanreale
    Glad it was useful! I just resurrected this site on MAMP 1.9, and one of the first things I thought of was how I should repost this item updated for the new version. There are a few other scripts in bin/ that need the root password modified as well for those who like to work from the command line interface. I'll try to get the new version posted this weekend.
  • Francesco Dipascasio
    Hi, it works like a charme... I've installed MAMP 1.9 and I had to add just one step to avoid MAMP error:

    /Applications/MAMP/Library/bin/mysqlcheck: Got error: 1045: Access denied for user 'root'@'localhost' (using password: YES) when trying to connect

    Make the same substitution in the file '/Applications/MAMP/bin/quickCheckMysqlUpgrade.sh' as you describe for ' /Applications/MAMP/bin/stopMysql.sh' .
  • George C
    Hey, this was a really helpful post on securing MAMP. There were a bunch of others but they didn't go through the whole process. Thanks for the post!
blog comments powered by Disqus