How to Hide PHP Version in Linux

FerdieQO

Well-known member
Joined
Jul 15, 2016
Messages
213
Points
28
With default settings, users can check information about the PHP version, the Webserver of the website using the header response. Then, if you forget to update PHP, hackers can take advantage of this information to attack as well as find vulnerabilities in your PHP version.

So, let's try these tips to hide PHP version on your Linux system.

1. How to check the PHP version

From a user perspective, check out the PHP version of any website:

Code:
# curl -IL http://domain.com
# curl -IL https://domain.com
The results are similar to the following:

Code:
HTTP/1.1 200 OK
Date: Sun, 24 Dec 2017 04:05:02 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: __cfduid=d2256f5d51e32dbd77184sdsa6831dd671514088301; expires=Mon, 24-Dec-18 04:05:01 GMT; path=/; domain=.domain.com; HttpOnly
X-Powered-By:[COLOR="#FF0000"] PHP/7.1.3[/COLOR]
Thus, it lets us know that website is using PHP 7.1.6

2. Hide the PHP version information

- To hide the PHP version, you need to configure in PHP: expose_php = off

You should create a custom.ini configuration file that do not modify the general php.ini configuration as this file may change as you update PHP. To find out the location of php.ini using this command php -i | more

Code:
RHEL/Fedora/CentOS Linux: /etc/php.d/
Debian/Ubuntu Linux and PHP v7.xx: /etc/php/7.0/fpm/conf.d/
Alpine Linux and PHP v5.6.xx: /etc/php5/conf.d/
Alpine Linux and PHP v7.xx: /etc/php7/conf.d/
Then use the Nano Editor to create and edit custom.ini in your own configuration directory. Add the following line to the file:

Code:
expose_php = Off
- Restart PHP

Finally, in order for the change to take effect, restart PHP, which varies depending on the operating system

Code:
RHEL/CentOS 5.x/6.x
# service php-fpm restart

RHEL/CentOS 7x
# systemctl restart php-fpm

Debian/Ubuntu Linux
# service php7.0-fpm restart

Alpine Linux
# /etc/init.d/php-fpm restart

FreeBSD
# service php-fpm restart
Check the header, you will see the PHP version information has been hidden.

Finally, hiding the PHP version is just a trick to help you avoid hackers. They can still guess or find out your PHP version using a variety of methods, such as PHP Fingerprinting. So, the best way is to update regularly, in the latest version of PHP/Nginx.

Hope this helps.
 

24x7serverman

Well-known member
Hosting Provider
Registered
Joined
Jul 25, 2017
Messages
651
Points
28
Thanks for sharing, it is helpful.
 

FerdieQO

Well-known member
Joined
Jul 15, 2016
Messages
213
Points
28
FerdieQO
You are welcome, to be honest I am search for an easier way for this because I have a cloud hosting from a provider and they hide PHP version but seem they didn't use this way but another way.

If using this way then it will take affect on all user accounts. Perhaps, I only want to use for any accounts.
 

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top