How to Hide PHP Version Number in HTTP Header

The PHP configuration, by default allows the server HTTP response header ‘X-Powered-By‘ to display the PHP version installed on a server.

For server security reasons (though not a major threat to worry about), it is recommended that you disable or hide this information from attackers who might be targeting your server by wanting to know whether you are running PHP or not.

Assuming a particular version of PHP installed on your server has security holes, and on the other side, attackers get to know this, it will become much easier for them to exploit vulnerabilities and gain access in to the sever through scripts.

In my previous article, I’ve shown how to Hide apache version number, where you’ve seen how to turn-off apache installed version. But if you are running PHP in your apache web server you need to hide PHP installed version also, and this is what we going show in this article.

Therefore, in this post, we will explain how to hide or turn-off showing PHP version number in server HTTP response header.

This setting can be configured in the loaded PHP configuration file. In case you do not know the location of this config file on your server, run the command below to find it:

$ php -i | grep "Loaded Configuration File"
PHP Configuration File Location
---------------- On CentOS/RHEL/Fedora ---------------- 
Loaded Configuration File => /etc/php.ini

---------------- On Debian/Ubuntu/Linux Mint ---------------- 
Loaded Configuration File => /etc/php/7.0/cli/php.ini

Before making any changes to PHP configuration file, I suggest you to first make a backup of your PHP config file like so:

---------------- On CentOS/RHEL/Fedora ---------------- 
$ sudo cp /etc/php.ini /etc/php.ini.orig

---------------- On Debian/Ubuntu/Linux Mint ---------------- 
$ sudo cp /etc/php/7.0/cli/php.ini  /etc/php/7.0/cli/php.ini.orig  

Then open the file using your favorite editor with super user privileges like so:

---------------- On CentOS/RHEL/Fedora ---------------- 
$ sudo vi /etc/php.ini

---------------- On Debian/Ubuntu/Linux Mint ---------------- 
$ sudo vi /etc/php/7.0/cli/php.ini

Locate the keyword expose_php and set its value to Off:

expose_php = off

Save the file and exit. Afterwards, restart the web server as follows:

---------------- On SystemD ---------------- 
$ sudo systemctl restart httpd
$ sudo systemctl restart apache2 

---------------- On SysVInit ---------------- 
$ sudo service httpd restart
$ sudo service apache2 restart

Last but not least, check if the server HTTP response header is still showing your PHP version number using the command below.

$ lynx -head -mime_header http://localhost 
$ lynx -head -mime_header http://server-address

where the flags:

  1. -head – sends a HEAD request for the mime headers.
  2. -mime_header – prints the MIME header of a fetched document together with its source.

Note: Make sure you have lynx – command-line web browser installed on your system.

That’s it! In this article, we explained how to hide PHP version number in server HTTP response header in order to secure a web server from possible attacks. You can add an opinion to this post or perhaps ask any related question via the comment form below.

Tutorial Feedback...
Was this article helpful? If you don't find this article helpful or found some outdated info, issue or a typo, do post your valuable feedback or suggestions in the comments to help improve this article...

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

1 thought on “How to Hide PHP Version Number in HTTP Header”

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.