How to Hide PHP Version in Site HTTP Headers
You must hide PHP version of your server in site headers for better site security. It is essential that you keep your PHP version updated on your server as newer versions help to fix security bugs, besides getting new features. I found that even after you turn off server signature to hide server details and your Apache version, the X-Powered by PHP version still appears in the site headers.
For example, if you simply check site headers of some site, you will get X-powered-By: PHP/5.3.10
While you thought only you could find PHP version of your server, or needed a PHP version plugin, now you see how easy it is for anyone to see your server details. And hackers can easily find out known security holes of that version and attack your server.
Hide PHP version
So how to hide PHP version. Servers display the PHP version by default due to expose_php, a core PHP.ini configuration directive. So you need to turn it off.
- Login to your server via FTP. I use Filezilla FTP Client.
- Find php.ini file on your server. Usually the global php.ini is located in /usr/local/lib/php.ini (but can vary depending on your server configuration and PHP installation. Check your hosting level for access and permissions)
- Save a backup copy of your php.ini file (in case something goes wrong, restore it)
- php.ini is a simple text file and can be edited in any text editor like Notepad. Add the line
expose_php = off - Save the php.ini file and upload to same location (do not save as .txt).
Now check your site headers check and you will find the entry of X-powered-by: PHP/[ version] will disappear. This is helpful as it does not expose your old PHP version on the server to known security holes and prevents hackers from getting secure server information.