How to Disable Server Signature by Editing .htaccess/Apache

Updated on

You probably know that revealing the information contains in Server Signature could be a security thread to your system. Nowadays, it is very easy for anyone to get Server Signature of your website. There are plenty of websites on internet to reveal such information like ‘whatsmyip‘. You can Disable Server Signature by Editing Htaccess/Apache to hide such sensitive information. You can also use a WP plugin to Turn off Server Signature in WordPress. In this post, I will discuss about how to Disable Server Signature by editing Htaccess/Apache.

First of all, we need know What Server Signature is? and Why hiding Web Server Signature of your website is really important? How you can Turn off Server Signature in WordPress?

How to Disable Server Signature by Editing Htaccess/Apache
How to Disable Server Signature by Editing Htaccess/Apache

What is Server Signature?

Server Signature is an important piece of information about your server and operating system. i.e. suppose, you are using an Apache server with Ubuntu operating system. The version number of Apache Server and Operating System information will be displayed in Server Signature. And as a result it should be look like…

Apache/2.2.20 (Ubuntu) Server or

Apache Phusion_Passenger/X.X.1X mod_bwlimited/1.X mod_fcgid/X.X.X

And if your website build on WordPress and you are using a caching plugin like W3 Total Cache. Server Signature of your website will look like…

Web Server: Apache
Programming Language: W3 Total Cache/0.X.X.1

Furthermore, HTTP response header information also reveals PHP version you are using on your website. This HTTP response header information is regulated by ServerTokens in Apache Server. Therefore, revealed information about the PHP version through HTTP response headers looks like the example given below.

X-Powered-By - PHP/5.4.4-XxX-XXxxX

And website build on WordPress with caching plugin could reveal the Server Signature information as per the below given line…

X-Powered-By - W3 Total Cache/0.X.X.1

You can check your websites server signature status on whatsmyip or Firewallmonitor.

Why Hiding Web Server Signature is really important?

Error pages of your website like 404 not found, 403 access forbidden pages contains server signature i.e. server version number, operating system etc. Such information could be misused by attackers. Mostly servers or operating systems has some loopholes that could be misused. Hence, one with these details can paralyzed your system with focused attacks.

Unknowingly or knowingly, revealing such information about your server/operating system/PHP versions is a potential threats. And it is a big security risk for you website which are hosted on such web servers, it shows your system’s vulnerability to attackers.

Note:
Before you edit Htaccess/Apache config files, it is advisable to create a backup of configuration file. So that you can go back to previous state if something went wrong.

How to Disable Server Signature by editing Htaccess/Apache?

There are various ways to Disable Server Signature, and it totally depends upon your server. Here I will share few most commonly used server signature disabling methods for Apache.

Disable Server Signature on Apache by editing config file

To Disable Server Signature on Apache, you need to edit Apache config file. You can found config file on following locations depending upon the operating system being used by your web server.

On Linux Mint, Ubuntu or Debian you can find config file here

$ sudo vi /etc/apache2/apache2.conf

On Fedora, Arch Linux, CentOS or RHEL you can find config file here

$ sudo vi /etc/httpd/conf/httpd.conf

Now, to turn off Server Signature, add the given below code at end of Apache config file

ServerSignature Off
ServerTokens Prod

PHP version in HTTP response header can also be hide by setting ServerTokens to Prod.

Turn off Server Signature in WordPress by editing Htaccess file

In order to Turn off Server Signature in WordPress, you need to edit Htaccess file. Here is detailed guide How you can edit Htaccess file on WordPress.

Finally, add given below code at end of Htaccess file

# START - Disable server signature #
ServerSignature Off
# END - Disable server signature #

Another method is to use a WP Plugin. There is a WordPress Plugin available for free on WordPress repository call WP htaccess Control. You can use this plugin to Turn off Server Signature in WordPress.

Turn off Server Signature in WordPress with WP htaccess Control Plugin
Turn off Server Signature in WordPress with WP htaccess Control Plugin

The plugin is especially relevant for beginners. If you have used WordPress for at least 2-3 months, you must know how to use code in Htaccess file. I would recommend you to use the Htaccess code instead of using a plugin for only this purpose.

Did you know that, you can increase your WordPress Website PageSpeed in a significant manner by only using few line of code in Htaccess. Here is a detailed guide about How to Increase Page Speed using Htaccess (WordPress).

Disable PHP version in ASP.NET/Apache

Disable PHP version on ASP.NET

Server signature on ASP.NET can be disabled by adding following code in <system.web> element, in your Web.config file

<httpRuntime enableVersionHeader="false" />

Disable PHP Version on Apache

On Linux Mint, Ubuntu or Debian you can find config file here

$ sudo vi /etc/php5/apache2/php.ini

On Fedora, Arch Linux, CentOS or RHEL you can find config file here

$ sudo vi /etc/php.ini

Now, look for expose_php = On and change it to

expose_php = Off

Bonus Tip

In addition to that, there is a bonus tip. You can also Disable WordPress Version information from your website. You need to edit your functions.php file rather than Htaccess file for this. Add given below code in the functions.php file of your WordPress theme. It will remove the WordPress version you are using from signature.

//TN Disable WordPress Version from your website
function tn_disable_wp_version() {
return '';
}
add_filter ( 'the_generator' ,  'tn_disable_wp_version' );

Wrapping Up

I would recommend you to hide all sensitive Server Signature Information by disabling it. You can edit Apache configuration file or edit the Htaccess files, in order to minimize risk and to strengthen your system. Hope you find this post useful, which method you are using to turn off server signature. Do share your feedback in the comment section below.

In addition to that you maybe interested to read following tutorials –
Enable Gzip Compression in WordPress via .htaccess file
How to Enable Keep-Alive to Speed up Your Site
Add Lazy Load Comments in WordPress to increase PageSpeed
How to Optimize WordPress Robots.txt file for SEO

Photo of author
Saurabh K
Saurabh K is a technology enthusiast and part-time blogger. He loves to explore the efficient use of technology and gadgets. He is an outlier and lensman. Add him in your social circle to know more.
Disclaimer: Affiliate links of some product(s) are being used on this page, if you follow the link and make a purchase, we may receive compensation from respective companies. This compensation comes at no additional cost to you.

18 thoughts on “How to Disable Server Signature by Editing .htaccess/Apache”

  1. Avatar of Masoud Yarmohammadi

    Its not really worked foe me!
    I passed all step, i have “X-Powered-By – W3 Total Cache/0.X.X.1” on my server print.

    Reply
  2. Avatar of Sparsh Tekriwal

    How to disable server signatur if i’m using godaddy shared hosting plan?

    Reply
    • As far as i know, Godaddy shared hosting plan uses the Apache server. Edit your .htaccess file and paste the following code into the same.
      # START - Disable server signature #
      ServerSignature Off
      # END - Disable server signature #

      Reply
      • Avatar of Scott

        This did not work for me. Bluehost web hosting. Apache server.

        # START – Disable server signature #
        ServerSignature Off
        # END – Disable server signature #

        Did not work. Any further input would be appreciated.

        Reply
        • It should work, however, you can contact to your hosting provider.

          Reply
  3. Avatar of Depali Jain

    Hello Saurabh K Yadav , i’m trying to disable server signature using this httacess code “# START – Disable server signature #
    ServerSignature Off” but its not working for me.. how can i disable ?

    Reply
    • Add the following code into htaccess file.
      # START - Disable server signature #
      ServerSignature Off
      # END - Disable server signature #

      Reply
  4. Avatar of Kalkulator Grosir

    thanks for the solution you give. this really useful

    Reply
  5. Avatar of Abhijeet

    very detailed guide…but it did not work for me on wordpress

    Reply
    • Try to put the following code in htaccess file… if you are on apache, it should work.
      # START - Disable server signature #
      ServerSignature Off
      # END - Disable server signature #

      Reply
  6. Avatar of Melroy

    How to turn off server signature of the website. I tried the following code in .htaccess file but it doesn’t work

    ServerSignature Off
    ServerTokens Prod

    I can’t find apache2.conf/httpd.conf files my hosting is GoDaddy
    please tell me how to turn it off

    Reply
    • Godaddy shared hosting plan uses the Apache server. Edit your .htaccess file and paste the following code.
      # START - Disable server signature #
      ServerSignature Off
      # END - Disable server signature #

      Reply
  7. Avatar of Melroy

    thank you

    Reply
  8. Avatar of Nagy Dávid

    Thanks much for your help.

    Reply
  9. Avatar of kuldeep gupta

    Informative and Helpful article ..

    Reply
    • Avatar of Saurabh K

      Thanks. Glad, I could help.

      Reply
  10. Avatar of Thirunavukkarasu Sivasubramaniam

    It is a great piece of information for beginners like me. Thanks for the post.

    Reply
  11. Avatar of Innocent Cyril

    Thank you for this information it has help me alot I so much appreciate you.

    Reply

Leave a Comment

Your email address and website details will not be published. Required fields are marked with *.