In this tutorial, we will show you how to hide the PHP version on a Linux server. In default Apache/PHP configuration, the server sends HTTP Header with the information of which PHP version is running on the server. The HTTP response header “X-Powered-By” displays the version of PHP that is running on the server. This information can be used by an attacker to try to exploit any vulnerabilities in the PHP version you are running, especially if you are running an older version with known vulnerabilities.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation to hide PHP version information in the header on a Linux server.
Prerequisites
- A server running one of the following operating systems: Ubuntu 22.04, 20.04, and any other Debian-based distribution like Linux Mint.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Hide PHP Version in Linux
Step 1: First take the backup copy of the file php.ini.
cp -p /etc/php.ini /etc/php.ini.orig
Step 2. Hide PHP Version in Linux.
Now edit the php.ini and search for the keyword expose_php and make it off I use vi or nano editor. You can select your favorite editor:
nano /etc/php.ini
Next, find the expose_php and change its default value from On to Off:
expose_php = Off
After making this change, you will need to restart your web server for it to take effect.
sudo systemctl restart httpd
In addition, use a server-level configuration file, such as an Apache .htaccess file or an Nginx server block, to remove the PHP version from the Server HTTP response header. This can be done using the Header or add_header the directive, depending on your web server. For example, in Apache, you can use the following Header directive:
Header unset Server
Or in Nginx, you can use the following add_header directive:
add_header Server "";
Use a server-level configuration file to add a custom Server HTTP response header that does not include the PHP version. For example, in Apache, you can use the following Header directive:
Header add Server "MyCustomServer"
Or in Nginx, you can use the following add_header directive:
add_header Server "MyCustomServer";
To check whether it is working or not request a response using the below command:
curl -I http://www.your-domain.com/
Result:
HTTP/1.1 200 OK Server: nginx Date: Mon, 01 Feb 2016 01:47:57 GMT Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding X-Pingback: http://www.your-domain.com/xmlrpc.php Date: Wed, 11 Feb 2015 14:10:43 GMT X-Page-Speed: 1.9.32.2-4321 Cache-Control: max-age=0, no-cache
Congratulations! You have successfully hidden the PHP version. Thanks for using this tutorial to hide the PHP version in the HTTP Headers on the Linux system. For additional help or useful information, we recommend you check the official PHP website.
