You probably know that revealing the information contains in Server Signature could be a security thread to your system. Nowadays, it is very easy for anyone to get Server Signature of your website. There are plenty of websites on internet to reveal such information like ‘whatsmyip‘. You can Disable Server Signature by Editing Htaccess/Apache to hide such sensitive information. You can also use a WP plugin to Turn off Server Signature in WordPress. In this post, I will discuss about how to Disable Server Signature by editing Htaccess/Apache.
First of all, we need know What Server Signature is? and Why hiding Web Server Signature of your website is really important? How you can Turn off Server Signature in WordPress?
What is Server Signature?
Server Signature is an important piece of information about your server and operating system. i.e. suppose, you are using an Apache server with Ubuntu operating system. The version number of Apache Server and Operating System information will be displayed in Server Signature. And as a result it should be look like…
Apache/2.2.20 (Ubuntu) Server or
Apache Phusion_Passenger/X.X.1X mod_bwlimited/1.X mod_fcgid/X.X.X
And if your website build on WordPress and you are using a caching plugin like W3 Total Cache. Server Signature of your website will look like…
Web Server: Apache
Programming Language: W3 Total Cache/0.X.X.1
Furthermore, HTTP response header information also reveals PHP version you are using on your website. This HTTP response header information is regulated by ServerTokens in Apache Server. Therefore, revealed information about the PHP version through HTTP response headers looks like the example given below.
X-Powered-By - PHP/5.4.4-XxX-XXxxX
And website build on WordPress with caching plugin could reveal the Server Signature information as per the below given line…
X-Powered-By - W3 Total Cache/0.X.X.1
You can check your websites server signature status on whatsmyip or Firewallmonitor.
Why Hiding Web Server Signature is really important?
Error pages of your website like 404 not found, 403 access forbidden pages contains server signature i.e. server version number, operating system etc. Such information could be misused by attackers. Mostly servers or operating systems has some loopholes that could be misused. Hence, one with these details can paralyzed your system with focused attacks.
Unknowingly or knowingly, revealing such information about your server/operating system/PHP versions is a potential threats. And it is a big security risk for you website which are hosted on such web servers, it shows your system’s vulnerability to attackers.
Note:
Before you edit Htaccess/Apache config files, it is advisable to create a backup of configuration file. So that you can go back to previous state if something went wrong.
How to Disable Server Signature by editing Htaccess/Apache?
There are various ways to Disable Server Signature, and it totally depends upon your server. Here I will share few most commonly used server signature disabling methods for Apache.
Disable Server Signature on Apache by editing config file
To Disable Server Signature on Apache, you need to edit Apache config file. You can found config file on following locations depending upon the operating system being used by your web server.
On Linux Mint, Ubuntu or Debian you can find config file here
$ sudo vi /etc/apache2/apache2.conf
On Fedora, Arch Linux, CentOS or RHEL you can find config file here
$ sudo vi /etc/httpd/conf/httpd.conf
Now, to turn off Server Signature, add the given below code at end of Apache config file
ServerSignature Off ServerTokens Prod
PHP version in HTTP response header can also be hide by setting ServerTokens to Prod.
Turn off Server Signature in WordPress by editing Htaccess file
In order to Turn off Server Signature in WordPress, you need to edit Htaccess file. Here is detailed guide How you can edit Htaccess file on WordPress.
Finally, add given below code at end of Htaccess file
# START - Disable server signature # ServerSignature Off # END - Disable server signature #
Another method is to use a WP Plugin. There is a WordPress Plugin available for free on WordPress repository call WP htaccess Control. You can use this plugin to Turn off Server Signature in WordPress.
The plugin is especially relevant for beginners. If you have used WordPress for at least 2-3 months, you must know how to use code in Htaccess file. I would recommend you to use the Htaccess code instead of using a plugin for only this purpose.
Did you know that, you can increase your WordPress Website PageSpeed in a significant manner by only using few line of code in Htaccess. Here is a detailed guide about How to Increase Page Speed using Htaccess (WordPress).
Disable PHP version in ASP.NET/Apache
Disable PHP version on ASP.NET
Server signature on ASP.NET can be disabled by adding following code in <system.web> element, in your Web.config file
<httpRuntime enableVersionHeader="false" />
Disable PHP Version on Apache
On Linux Mint, Ubuntu or Debian you can find config file here
$ sudo vi /etc/php5/apache2/php.ini
On Fedora, Arch Linux, CentOS or RHEL you can find config file here
$ sudo vi /etc/php.ini
Now, look for expose_php = On and change it to
expose_php = Off
Bonus Tip
In addition to that, there is a bonus tip. You can also Disable WordPress Version information from your website. You need to edit your functions.php file rather than Htaccess file for this. Add given below code in the functions.php file of your WordPress theme. It will remove the WordPress version you are using from signature.
//TN Disable WordPress Version from your website
function tn_disable_wp_version() {
return '';
}
add_filter ( 'the_generator' , 'tn_disable_wp_version' );
Wrapping Up
I would recommend you to hide all sensitive Server Signature Information by disabling it. You can edit Apache configuration file or edit the Htaccess files, in order to minimize risk and to strengthen your system. Hope you find this post useful, which method you are using to turn off server signature. Do share your feedback in the comment section below.
In addition to that you maybe interested to read following tutorials –
Enable Gzip Compression in WordPress via .htaccess file
How to Enable Keep-Alive to Speed up Your Site
Add Lazy Load Comments in WordPress to increase PageSpeed
How to Optimize WordPress Robots.txt file for SEO
![20+ Best Website Speed Test Tools — How Fast is Your Site? Run a Free Site Speed Audit [2021]](https://technumero.com/wp-content/uploads/2021/03/Best-Website-Speed-Test-Tools-370x170.png "Best Website Speed Test Tools")
Its not really worked foe me!
I passed all step, i have “X-Powered-By – W3 Total Cache/0.X.X.1” on my server print.
How to disable server signatur if i’m using godaddy shared hosting plan?
As far as i know, Godaddy shared hosting plan uses the Apache server. Edit your .htaccess file and paste the following code into the same.
# START - Disable server signature #ServerSignature Off
# END - Disable server signature #
This did not work for me. Bluehost web hosting. Apache server.
# START – Disable server signature #
ServerSignature Off
# END – Disable server signature #
Did not work. Any further input would be appreciated.
It should work, however, you can contact to your hosting provider.
Hello Saurabh K Yadav , i’m trying to disable server signature using this httacess code “# START – Disable server signature #
ServerSignature Off” but its not working for me.. how can i disable ?
Add the following code into htaccess file.
# START - Disable server signature #ServerSignature Off
# END - Disable server signature #
thanks for the solution you give. this really useful
very detailed guide…but it did not work for me on wordpress
Try to put the following code in htaccess file… if you are on apache, it should work.
# START - Disable server signature #ServerSignature Off
# END - Disable server signature #
How to turn off server signature of the website. I tried the following code in .htaccess file but it doesn’t work
ServerSignature Off
ServerTokens Prod
I can’t find apache2.conf/httpd.conf files my hosting is GoDaddy
please tell me how to turn it off
Godaddy shared hosting plan uses the Apache server. Edit your .htaccess file and paste the following code.
# START - Disable server signature #ServerSignature Off
# END - Disable server signature #
thank you
Thanks much for your help.
Informative and Helpful article ..
Thanks. Glad, I could help.
It is a great piece of information for beginners like me. Thanks for the post.
Thank you for this information it has help me alot I so much appreciate you.