How to Hide PHP Version Number in HTTP Header

The PHP configuration, by default allows the server HTTP response header ‘X-Powered-By‘ to display the PHP version installed on a server.

For server security reasons (though not a major threat to worry about), it is recommended that you disable or hide this information from attackers who might be targeting your server by wanting to know whether you are running PHP or not.

Assuming a particular version of PHP installed on your server has security holes, and on the other side, attackers get to know this, it will become much easier for them to exploit vulnerabilities and gain access in to the sever through scripts.

In my previous article, I’ve shown how to Hide apache version number, where you’ve seen how to turn-off apache installed version. But if you are running PHP in your apache web server you need to hide PHP installed version also, and this is what we going show in this article.

Therefore, in this post, we will explain how to hide or turn-off showing PHP version number in server HTTP response header.

This setting can be configured in the loaded PHP configuration file. In case you do not know the location of this config file on your server, run the command below to find it:

$ php -i | grep "Loaded Configuration File"
PHP Configuration File Location
---------------- On CentOS/RHEL/Fedora ---------------- 
Loaded Configuration File => /etc/php.ini

---------------- On Debian/Ubuntu/Linux Mint ---------------- 
Loaded Configuration File => /etc/php/7.0/cli/php.ini

Before making any changes to PHP configuration file, I suggest you to first make a backup of your PHP config file like so:

---------------- On CentOS/RHEL/Fedora ---------------- 
$ sudo cp /etc/php.ini /etc/php.ini.orig

---------------- On Debian/Ubuntu/Linux Mint ---------------- 
$ sudo cp /etc/php/7.0/cli/php.ini  /etc/php/7.0/cli/php.ini.orig  

Then open the file using your favorite editor with super user privileges like so:

---------------- On CentOS/RHEL/Fedora ---------------- 
$ sudo vi /etc/php.ini

---------------- On Debian/Ubuntu/Linux Mint ---------------- 
$ sudo vi /etc/php/7.0/cli/php.ini

Locate the keyword expose_php and set its value to Off:

expose_php = off

Save the file and exit. Afterwards, restart the web server as follows:

---------------- On SystemD ---------------- 
$ sudo systemctl restart httpd
$ sudo systemctl restart apache2 

---------------- On SysVInit ---------------- 
$ sudo service httpd restart
$ sudo service apache2 restart

Last but not least, check if the server HTTP response header is still showing your PHP version number using the command below.

$ lynx -head -mime_header http://localhost 
$ lynx -head -mime_header http://server-address

where the flags:

  1. -head – sends a HEAD request for the mime headers.
  2. -mime_header – prints the MIME header of a fetched document together with its source.

Note: Make sure you have lynx – command-line web browser installed on your system.

That’s it! In this article, we explained how to hide PHP version number in server HTTP response header in order to secure a web server from possible attacks. You can add an opinion to this post or perhaps ask any related question via the comment form below.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.