How to Hide or Remove Unwanted Apache Headers to Protect your WordPress Site?

Updated on October 27, 2017

It all starts from here – whenever the client requests for a page, the server sends out response data (the actual content) and some response headers as well. The header contains information such as HTTP response status, Content-Type, Content-Length, Location of the requested page, response date and time, server information and informations generated by third party tools and plugins. For example, a default configuration of web server will send out critical informations such as web server version, name of the operating system, W3 Total Cache version (in case of using WordPress plugin), PHP version, Pagespeed version etc…

Here’s an example header response:

How to view response headers of a website?

Method 1: You can use Chrome Inspect element or Firebug extension. 

apache headers

Method 2: Using Curl command:

$ curl -is | head -20
 HTTP/1.1 301 Moved Permanently
 Date: Tue, 07 Jul 2015 10:59:48 GMT
 Server: Apache/2.2.3 (CentOs)
 X-Powered-By: W3 Total Cache/
 X-Powered-By: PHP/5.4.20
 Content-Length: 308
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

Method 3: Using wget command

$ wget --server-response --spider
Spider mode enabled. Check if remote file exists.
--2015-07-07 17:09:52--
HTTP/1.1 301 Moved Permanently
Date: Tue, 07 Jul 2015 10:59:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: W3 Total Cache/
X-Powered-By: PHP/5.4.20
Content-Length: 308
Connection: close
Content-Type: text/html; charset=iso-8859-1

Method 4: Using Telnet

You can telnet to a server on port 80 and send GET request as shown below.

# telnet 80
Connected to (
Escape character is '^]'.
GET / HTTP/1.1

You need to hit enter twice after Host: to see the response headers.

Below is the sample response header:

HTTP/1.1 200 OK
Date: Fri, 27 Oct 2017 09:48:46 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: 1P_JAR=2017-10-27-09; expires=Fri, 03-Nov-2017 09:48:46 GMT; path=/;
Set-Cookie: NID=115=2ZkmDj7Xd8qci5tKQ5PNlNa5QS0556ExBPJzQOTUCA42fWSM1C5fkRsxxiWlIHrpFM3Q_rxDpRvF4qjFRPpuiUBRFcQxH5f8g7gkFDEqNH_aKi8LZuuohJbX7cWj_uLu; expires=Sat, 28-Apr-2018 09:48:46 GMT; path=/;; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

From the above examples, you can see information such as Apache version, operating system name, PHP version, Pingback URL, Mod-Pagespeed version etc…It doesn’t stop there, sometimes third party tools and plugins might push few information into headers and that are visible publicly.

It’s a good practice to hide those information using Apache Header Directive. The apache header directive will be processed before the server responds to the client and hence it allows you to set or unset response headers.

To do that, you need headers_module. Check if your webserver has Header module installed using the below command:

# /usr/sbin/httpd -M

You will find more information about Apache Modules and list of enabled modules here!

Too many modules! Too many problems:

You should never be loading too many modules that are not required for your server. Too many modules, too many problems. Learn to list all modules loaded by PHP and disable unwanted ones to secure your website.

Turn Off Apache Signature information

Open httpd.conf file as below:

# vim /etc/httpd/conf/httpd.conf

Make sure, you set the values of ‘ServerSignature‘ and ‘ServerTokens‘ as below:

ServerSignature Off
ServerTokens Prod

Restart the web server as below:

# /etc/init.d/httpd restart

Turn Off PHP version information

Open php.ini file as below:

# vi /etc/php.ini

Make sure ‘expose_php‘ is turned Off as below:

expose_php = Off

Restart web server as below:

# /etc/init.d/httpd restart

Now, lets go ahead and remove some of the unwanted response headers:

Set or Unset Apache response headers

Copy and paste the below lines in httpd.conf or .htaccess

<IfModule mod_headers.c>
 Header unset Server
 Header always unset X-Powered-By
 Header unset X-Powered-By
 Header unset X-CF-Powered-By
 Header unset X-Mod-Pagespeed
 Header unset X-Pingback

Restart web server as below:

# /etc/init.d/httpd restart

That’s it! After restarting the web server, the headers_module will unset headers such as ‘Server’, ‘X-Powered-By’, ‘X-CF-Powered-By’, ‘X-Mod-Pagespeed’, ‘X-Pingback’ before sending out the response.

Note: You cannot completely remove ‘Server‘ from response data – you’ll still ‘Server: Apache‘ in the response headers. Also you may need to use ‘Header always unset X-Powered-By‘ to remove headers generated by CGI.


A Complete Guide to Secure your WordPress, Web Server and Database!

Also Download ebook on : WordPress Optimization.

Was this article helpful?

Related Articles

Comments Leave a Comment

  1. All of these tutorials are editing the wrong file. It’s NOT apache/conf/httpd.conf

    You need to edit apache/conf/extra/httpd-default.conf

    When you open it you will see the variable you were adding to the wrong file. Remove them from the httpd.conf file.

    Remember you must restart your Apache server for this to work.

    Hope that helps.

    1. Thanks Rany.

      The location of the configuration file changes based on the installation. Some versions install the configuration file under /etc/ folder and new versions of Apache places the configuration file in apache folder

  2. Hello,

    I get x-proxy-cache: MISS – in my wordpress blog that operate on apache server. whats the cause of this.

  3. Hi, I am so thankful to you about this blog! I was searching for this header unset thing but none of the options were actually working!

    I just applied your option and worked like a charm!

    Thank you once more!

  4. Hello Sir


    I have tried to follow you in above given helps.

    Most of the work happen nicely version are hidden now.

    But i want to hide this one as well.

    Server: Apache
    Server: gws

    please help me bit more about it.

Leave a Comment