How to turn off expose php?
This article describes how to enable and disable the expose_php directive in a custom php.ini file. Show The information in this article only applies to certain types of hosting accounts. To determine whether or not the information below applies to your account, please see this article. This article assumes that you have already set up a custom php.ini file on your web site. If you have not already set up a custom php.ini file, please read this article first. Using the expose_php directiveWhen the expose_php directive is enabled, PHP includes the following line in the HTTP response header when a PHP page is requested (the exact version number may differ depending on your configuration): X-Powered-By: PHP/5.3.27 By default, the expose_php directive is enabled. However, you may not want to broadcast the specific PHP version your site is using. Similarly, some third-party applications require the expose_php directive to be disabled. To disable the expose_php directive, use a text editor to modify your php.ini file as follows: expose_php = off With the expose_php directive disabled, PHP will not send the X-Powered-By header. To re-enable the expose_php directive and send the X-Powered-By header, modify your php.ini file as follows: expose_php = on To verify the current value of the expose_php directive and other directives, you can use the phpinfo() function. For more information, please see this article. More Information
That's correct. Setting While one could say that potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off. In my opinion, it is a good thing to do, but do not expect it to offer much protection. In terms of interacting with third party services, they should not have to care about which version of PHP you are using. They should be able to serve content in platform-agnostic formats such as JSON, XML, etc, so that the services can be consumed by any platform and not just PHP. In anycase, for them to rely on the "consumer's" PHP version is useless, as the header can be easily turned off and perhaps even manipulated by the server administrator. Therefore, it shouldn't be a problem turning it off. A reader recently brought to my attention a reported vulnerability on servers running PHP. It’s been known about for eons, but it’s new to me and it involves easter eggs in PHP so I thought it would be fun to share a quick post about what it is and how to prevent leakage of sensitive information about your server. It only takes a moment to disable the easter-egg information, should you decide to do so.What it is..Here’s the scoop according to the Open Source Vulnerability DataBase:
Couldn’t have said it better myself. Basically if you’re running PHP it may be possible for someone to discover the PHP-version and other sensitive information. Also referred to as a type of “fingerprinting” attack. It’s not “threat level midnight” or anything like that, but certainly worth a few moments to lock it down: another layer of protection to increase the security of your website(s). How it works..On servers running PHP, visit any page, remove the trailing slash, and append any of the following query-strings:
If the vulnerability is present, requests made with these query-strings results in a variety of easter eggs and
detailed PHP credits (see screenshots). When these easter eggs are visible, it means that Disable expose_php via php.iniIf you have access to (and can edit) your server’s ..we send this: Note that in addition to PHP sending its info via the
This simply uses the ServerTokens directive to disable the version number. The ServerSignature directive disables the version info on server-generated pages, which is an added bonus. Prevent access via .htaccessIf you don’t have access to
Just place that code in your site’s root .htaccess file and you’re good to go (no editing required). How does it work? In the first line we’re matching our regular expression against query-string requests (via “ Here’s a comparison to help visualize the pattern: String: The line terminates with a “no-case” All together thenCombining our two Apache techniques, we get an equivalent to disabling 1) Add to Apache’s main configuration file (httpd.conf):
1) Add to Apache httpd.conf or .htaccess:
By combining our two methods we deny access to PHP credits/info and disable broadcasting of the Apache version. That’s effective, but unfortunately there’s no way to prevent Note also that Apache’s PHP easter eggsWhen something is intentionally hidden within a book, app, or whatever, it’s referred to as an “easter egg”. PHP has at least four of them:
So what’s the deal?This is all fine and interesting, but is it worth it? It’s been reported that cPanel requires the PHP version info, so some hosts may leave Shouts outThank you to Warner Nanninga for bringing this to my attention and helping with further information. Cheers! About the Author Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being. How to turn off expose_ PHP?Using the expose_php directive
Similarly, some third-party applications require the expose_php directive to be disabled. To verify the current value of the expose_php directive and other directives, you can use the phpinfo() function.
Should I turn off expose_php?There are no known risks of disabling expose_php on a web server. Most Third Party services are agnostic to PHP version, and would not need this information exposed in order to function properly.
How do I hide PHP version in WordPress?Here are the steps to hide PHP version in WordPress/Apache and other PHP-based websites.. Locate PHP configuration file. Open terminal and run the following command to locate the PHP configuration file php. ... . Create Backup. ... . Open php.ini. ... . Hide PHP Server Version. ... . Restart Apache Server.. Where is PHP INI located?user. ini file is the default configuration file for running applications that require PHP. It is used to control variables such as upload sizes, file timeouts, and resource limits. This file is located on your server in the /public_html folder.
|