31

This is a canonical question about the use of a *AMPP's stack.

I recently had a talk with some experienced people and they suggested to me not to use a WAMP stack, and instead install apache, mysql and php separately.

I don't understand why they have suggested this, though, so can anyone tell me?

Is there a particular disadvantage of WAMP, or a particular advantage to installing all of them separately?

Since a WAMP stack itself is composed of apache, mysql and php, then what's the difference between using the WAMP stack and installing them all separately?

Community
  • 1
matang
  • 446
  • 1
  • 4
  • 5
  • 3
    What about a WIMP stack? (Windows, IIS, MSSQL Server, ASP.net) I rather like the acronym. – HopelessN00b Nov 29 '12 at 22:34
  • @HopelessN00b, WIMP is taken. It was an OS extension for Commodore 64 machines (about the time of Windows 2) and stood for "Windows, Icons, Mice and Pointers". – John Gardeniers Dec 11 '12 at 10:53
  • @John Gardeniers WIMP was already taken by that stage as an acronym for the "Windows Icons Mice and Pull-down Menus" style of UI that we now all use. – Euan M Nov 27 '15 at 01:01

5 Answers5

42

Since a WAMP stack itself is composed of apache, mysql and php, then what's the difference between using the WAMP stack and installing them all separately?

There are many differences, though the three most troubling ones are:

  1. insecure configuration
  2. difficulty and lag in upgrades
  3. non-standard configs/binary locations

To expand on #1: WAMP, MAMP, LAMPP, XAMPP, etc. are designed to be one-click stack installers that make it easy for developers to get to work quickly and with the least resistance possible. As such, many of the configuration values are intentionally left in a very insecure state. This is OK for development work, but incredibly stupid to do in production.

Then, for #2, OS vendors make it very easy to keep your LAMP stack upgraded with the most recent feature updates and security patches. When their packages get released to their official repos, they've been through much testing and the chances of them breaking anything on your system are fairly low. In the vast majority of the time, you're able to upgrade everything with a single command.

Finally, #3: one-click installers place their files in very non-standard locations. As such, when you (or anyone else) go to troubleshoot things, you're left searching all over your filesystem for, say, your php.ini file. When you install a LAMP stack from your distribution's package repo, everything will be in an expected, well-known location.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 1
    I feel like we've been simultaneously answering the same questions all week. – MDMarra Nov 29 '12 at 22:10
  • 2
    Caveat: I wrote this assuming you were running on Linux, which apparently you're not. Many of the same points still hold true on Windows. I should submit, though, that you really ought to be running on Linux. You'll have a much more pleasant experience. – EEAA Nov 29 '12 at 22:11
  • @MDMarra Hah, I haven't noticed until now. I guess I need to go back and look at our history. :) – EEAA Nov 29 '12 at 22:11
22

First of all, apache, php, and MySQL are all *nix applications ported to Windows. It's usually preferred to run tools on their native platforms in production environments.

Secondly, pre-configured *AMP packages generally have extremely vulnerable configurations out of the box. Most packages ship with a readme stating that they're only for dev use and not for production because of this.

If you really want to develop in an environment that mimics production, you'll use a configuration similar to your production environment and you don't get that with WAMP or LAMP packages.

EEAA
  • 108,414
  • 18
  • 172
  • 242
MDMarra
  • 100,183
  • 32
  • 195
  • 326
6

If the question is - using Windows as my platform, why would some people tell me to install Apache, PHP, and MySQL separately rather than as part of a WAMP distribution...

The main reason is that some people have had a negative experience using a "everything including the kitchen-sink" type WAMP distributions that comes with a FTP Server, Mail Server, JSP Server, DNS Server, have issues with upgradability, security ... and that generally make a mess of things.

And at the end of the day, those people would rather install and configure Apache, PHP, and MySQL their own way. And others probably think you'll gain more experience doing it all yourself.

But not all WAMPs are like this, and some are highly though-out frameworks that deal with security, upgradability, and configurations in a proper manner.

There are about a dozen or so WAMPs that you can test, to see how they stack against each other. I always recommend to try out - WampServer, UniformServer, Wamp-Developer Pro, and Xampp to see if one of them fits your needs, and if not, to either set up your own custom WAMP installation/framework, or go with a LAMP environment.

rightstuff
  • 620
  • 1
  • 5
  • 6
  • 3
    You're not wrong in the point you're making, but I submit that the most secure, most efficient code is code you never have to run, and the most flexible framework is *no framework at all* so you don't have to worry about breaking someone else's rules and preventing their security, upgradability or configuration assumptions from being true and breaking the framework. It really does depend on the requirements and skills of the person doing the deployment - if it's an internet-facing system, a framework is no substitute for understanding how to properly configure all the components yourself. – Rob Moir Dec 01 '12 at 19:25
  • 4
    I'll go further and say that if a person needs to use *any* WAMP style system because they don't have the experience, skill and confidence to do it using the component parts then that person should not be putting it on the Internet. WAMP, in any of its forms, is fine for an intranet but not the Internet. – John Gardeniers Dec 11 '12 at 10:58
3

An answer directly from XAMPP. (I share, even if not a direct xampp question, as it's listed as a canonical question for AMPP's stack)

Is XAMPP production ready?

XAMPP is not meant for production use but only for development environments. The way XAMPP is configured is to be open as possible to allow the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Here a list of missing security in XAMPP:

    The MySQL administrator (root) has no password.
    The MySQL daemon is accessible via network.
    ProFTPD uses the password "lampp" for user "daemon".
    PhpMyAdmin is accessible via network.
    The XAMPP demopage is accessible via network.
    The default users of Mercury and FileZilla are known.

All points can be a huge security risk. Especially if XAMPP is accessible via network and people outside your LAN. It can also help to use a firewall or a (NAT) router. In case of a router or firewall, your PC is normally not accessible via network. It is up to you to fix these problems. As a small help there is the "XAMPP Security console".

Please secure XAMPP before publishing anything online. A firewall or an external router are only sufficient for low levels of security. For slightly more security, you can run the "XAMPP Security console" and assign passwords.

If you want have your XAMPP accessible from the internet, you should go to the following URI which can fix some problems:

 http://localhost/security/

With the security console you can set a password for the MySQL user "root" and phpMyAdmin. You can also enable a authentication for the XAMPP demopages.

This web based tool does not fix any additional security issues! Especially the FileZilla FTP server and the Mercury mail server you must secure yourself.

Community
  • 1
yagmoth555
  • 16,300
  • 4
  • 26
  • 48
-3

Some good answers, but don't forget that NONE of the default installs are very secure as they are meant to be used in the widest possible range of situations.

Seriously, if you think a default install of Apache on Linux is secure... guess again.

Skywalker
  • 17