Secure WordPress: Hide Server and PHP Info in Headers

How to hide php version in headers; Remove server info from http headers; Hide apache version in response headers; Disable server signature in wordpress; Secure wordpress by hiding php info; Remove unwanted apache headers; Hide server information in http headers; Turn off php version exposure; Edit htaccess to hide server info; Protect wordpress by hiding server details;

Explanation

To make your WordPress site a bit more secure, you can hide some server and PHP details that are usually visible in HTTP headers. This helps in keeping potential attackers from knowing too much about your server setup.

Remove PHP Version: The first function removes the 'X-Powered-By' header, which usually shows the PHP version. This is done by using header_remove('X-Powered-By').

Remove Unwanted Headers: Another function is used to unset several headers like 'Server', 'X-AspNet-Version', and 'X-AspNetMvc-Version'. This is achieved by unsetting these headers in the wp_headers filter.

Disable Server Signature: If your server uses Apache, you can disable the server signature, which is a small piece of information about your server, by setting the 'Server' header to an empty value. This is checked and applied if the 'mod_headers' module is available.

Modify .htaccess: Lastly, the code modifies the .htaccess file to add directives that turn off the server signature and unset certain headers. This is done only if the file is writable and doesn't already contain these directives.

By implementing these changes, you can reduce the amount of information your server reveals, making it a bit harder for anyone trying to exploit known vulnerabilities based on server details.

Code

<?php
// Function to remove PHP version from HTTP headers
function wp_dudecom_remove_php_version() {
    header_remove('X-Powered-By');
}
add_action('init', 'wp_dudecom_remove_php_version');

// Function to remove server signature and other unwanted headers
function wp_dudecom_remove_unwanted_headers($headers) {
    unset($headers['X-Powered-By']);
    unset($headers['Server']);
    unset($headers['X-AspNet-Version']);
    unset($headers['X-AspNetMvc-Version']);
    return $headers;
}
add_filter('wp_headers', 'wp_dudecom_remove_unwanted_headers');

// Function to disable server signature in Apache
function wp_dudecom_disable_server_signature() {
    if (function_exists('apache_get_modules') && in_array('mod_headers', apache_get_modules())) {
        header('Server: ');
    }
}
add_action('send_headers', 'wp_dudecom_disable_server_signature');

// Function to modify .htaccess to hide server information
function wp_dudecom_modify_htaccess() {
    $htaccess_file = ABSPATH . '.htaccess';
    if (file_exists($htaccess_file) && is_writable($htaccess_file)) {
        $htaccess_content = file_get_contents($htaccess_file);
        $directives = "\n# WP-DUDE.COM: Hide server information\n";
        $directives .= "ServerSignature Off\n";
        $directives .= "Header unset X-Powered-By\n";
        $directives .= "Header unset Server\n";

        if (strpos($htaccess_content, 'WP-DUDE.COM: Hide server information') === false) {
            file_put_contents($htaccess_file, $htaccess_content . $directives);
        }
    }
}
add_action('init', 'wp_dudecom_modify_htaccess');
?>

Instructions

File Location: Add the following code to your theme's functions.php file or a custom plugin file.

Prerequisites: Ensure you have access to your WordPress files and the ability to edit them. Familiarity with accessing your server via FTP or a file manager is helpful.

Implementation Steps:

  • Access Your WordPress Files: Use an FTP client or your hosting provider's file manager to navigate to your WordPress installation directory.
  • Edit functions.php or Create a Plugin:
    • If using functions.php: Navigate to wp-content/themes/your-active-theme/ and open functions.php for editing.
    • If creating a plugin: Navigate to wp-content/plugins/, create a new folder, and within it, create a PHP file (e.g., hide-server-info.php).
  • Add the Code: Copy and paste the provided code into the file you are editing.
  • Save Changes: Save the file after adding the code.
  • Verify Changes: Clear your browser cache and check your site's HTTP headers using browser developer tools or an online header checker to ensure the headers are removed.

If you need assistance with this implementation or require more advanced functionality, consider reaching out to wp-dude.com for expert help.