How to Hide or Remove Unwanted Apache Headers to Protect your WordPress Site?

It all starts from here – whenever the client requests for a page, the server sends out response data (the actual content) and some response headers as well. The header contains information such as HTTP response status, Content-Type, Content-Length, Location of the requested page, response date and time, server information and informations generated by third party tools and plugins. For example, a default configuration of web server will send out critical informations such as web server version, name of the operating system, W3 Total Cache version,  PHP version, Pagespeed version etc…

Here’s an example header response:

How to view response headers of a website?

Method 1: You can use Chrome Inspect element/Firebug extension. 

apache headers

Method 2: Using Curl command:

$ curl -is http://domain.com/ | head -20
 HTTP/1.1 301 Moved Permanently
 Date: Tue, 07 Jul 2015 10:59:48 GMT
 Server: Apache/2.2.3 (CentOs)
 Location: http://domain.com
 X-Powered-By: W3 Total Cache/0.9.2.3
 X-Powered-By: PHP/5.4.20
 X-Pingback: http://domain.com/xmlrpc.php
 X-Mod-Pagespeed: 1.6.29.7-3343
 Content-Length: 308
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

Method 3: Using wget command

$ wget --server-response --spider http://domain.com
Spider mode enabled. Check if remote file exists.
--2015-07-07 17:09:52-- http://domain.com
::::::::::::::::::::::::::::::::::::
HTTP/1.1 301 Moved Permanently
Date: Tue, 07 Jul 2015 10:59:48 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://domain.com
X-Powered-By: W3 Total Cache/0.9.2.3
X-Powered-By: PHP/5.4.20
X-Pingback: http://domain.com/xmlrpc.php
X-Mod-Pagespeed: 1.6.29.7-3343
Content-Length: 308
Connection: close
Content-Type: text/html; charset=iso-8859-1

From the above examples, you can see information such as Apache version, operating system name, PHP version, Pingback URL, Mod-Pagespeed version etc…It doesn’t stop there, sometimes third party tools and plugins might push few information into headers and that are visible publicly.

It’s a good practice to hide those information using Apache Header Directive. The apache header directive will be processed before the server responds to the client and hence it allows you to set or unset response headers.

To do that, you need headers_module. Check if your webserver has Header module installed using the below command:

# /usr/sbin/httpd -M

You will find more information about Apache Modules and list of enabled modules  here!

Turn Off Apache Signature information

Open httpd.conf file as below:

# vim /etc/httpd/conf/httpd.conf

Make sure, you set the values of ‘ServerSignature‘ and ‘ServerTokens‘ as below:

ServerSignature Off
ServerTokens Prod

Restart the web server as below:

# /etc/init.d/httpd restart

Turn Off PHP version information

Open php.ini file as below:

# vi /etc/php.ini

Make sure ‘expose_php‘ is turned Off as below:

expose_php = Off

Restart web server as below:

# /etc/init.d/httpd restart

Now, lets go ahead and remove some of the unwanted response headers:

Set or Unset Apache response headers

Copy and paste the below lines in httpd.conf or .htaccess

<IfModule mod_headers.c>
 Header unset Server
 Header always unset X-Powered-By
 Header unset X-Powered-By
 Header unset X-CF-Powered-By
 Header unset X-Mod-Pagespeed
 Header unset X-Pingback
</IfModule>

Restart web server as below:

# /etc/init.d/httpd restart

That’s it! After restarting the web server, the headers_module will unset headers such as ‘Server’, ‘X-Powered-By’, ‘X-CF-Powered-By’, ‘X-Mod-Pagespeed’, ‘X-Pingback’ before sending out the response.

Note: You cannot completely remove ‘Server‘ from response data – you’ll still ‘Server: Apache‘ in the response headers. Also you may need to use ‘Header always unset X-Powered-By‘ to remove headers generated by CGI.

Bonus…

A Complete Guide to Secure your WordPress, Web Server and Database!

Also Download ebook on : WordPress Optimization.

Topics :

Get Free Email Updates

Disclaimer: The content published in this article is the views of the author only. Techglimpse does not gurantee accuracy, completness or validity. If you believe the content on this post violates your copyright, please send us a mail for removal. Read more.