How to Hide PHP Version in Site HTTP Headers

By Updated   BloggingDomain HostingSecurity

You must hide PHP version of your server in site headers for better site security. It is essential that you keep your PHP version updated on your server as newer versions help to fix security bugs, besides getting new features. I found that even after you turn off server signature to hide server details and your Apache version, the X-Powered by PHP version still appears in the site headers.

For example, if you simply check site headers of some site, you will get X-powered-By: PHP/5.3.10

hide php version

While you thought only you could find PHP version of your server, or needed a PHP version plugin, now you see how easy it is for anyone to see your server details. And hackers can easily find out known security holes of that version and attack your server.

Hide PHP version

So how to hide PHP version. Servers display the PHP version by default due to expose_php, a core PHP.ini configuration directive. So you need to turn it off.

  • Login to your server via FTP. I use Filezilla FTP Client.
  • Find php.ini file on your server. Usually the global php.ini is located in /usr/local/lib/php.ini (but can vary depending on your server configuration and PHP installation. Check your hosting level for access and permissions)
  • Save a backup copy of your php.ini file (in case something goes wrong, restore it)
  • php.ini is a simple text file and can be edited in any text editor like Notepad. Add the line
    expose_php = off
  • Save the php.ini file and upload to same location (do not save as .txt).

Now check your site headers check and you will find the entry of X-powered-by: PHP/[ version] will disappear. This is helpful as it does not expose your old PHP version on the server to known security holes and prevents hackers from getting secure server information.

NOTE: It’s a bad idea to mess with your php.ini file. If you don’t have sufficient technical expertise, and can’t fix it yourself, ask your web hosting service support to fix it for you easily.

4 comments on “How to Hide PHP Version in Site HTTP Headers

  1. JohnR says:

    This is a great tip but we should also consider if there are other methods that hackers can use to check the PHP version on our site.

  2. Sam Jonson says:

    This is a great tip. But do you know how to hide script name. like facebook does?

  3. Esharat says:

    Wow! Awesome your sharing! Thanks for sharing.

  4. Rob Fish says:

    I heard that there are other ways to stay secure without necessarily upgrading your PHP to the higher versions. Is this a fact or just a myth?

Leave a Reply

Your email address will not be published. Required fields are marked *



 
css.php