Applicable to:
- Plesk for Linux
Question
How to remove PHP version from the X-Powered-By HTTP header?
Answer
-
Navigate to Domains > example.com > PHP Settings.
-
Put the following line to the Additional configuration directives section:
CONFIG_TEXT: expose_php = off
-
Verify that the header is not shown anymore:
# curl -sIL example.com/index.php | grep -c PHP
-
Connect to the Plesk server via SSH.
Note: If direct SSH access to the server is not possible, contact server administrator for further assistance.
-
Check if
php.inifile for the handler contains theexpose_phpdirective:# cat /opt/plesk/php/X.X/etc/php.ini | grep expose_php
expose_php = On- where X.X - a PHP version, e.g. 5.6, 7.0, 7.1, etc
-
If the directive is present (the output of the command from step 2 is the same), change
expose_php = Ontoexpose_php = Off.
If not, create a new.iniconfiguration file in the appropriate PHP directory:# echo 'expose_php = off' > /opt/plesk/php/X.X/etc/php.d/hideheader.ini
- where X.X - a PHP version, e.g. 5.6, 7.0, 7.1, etc
-
Reload the Plesk PHP service configuration:
# service plesk-phpXX-fpm reload
-
where phpXX - a PHP version, e.g. php56, php70, php71, etc.
-
If the domains are using PHP FastCGI it is necessary to restart Apache webserver:
# systemctl restart httpd
# systemctl restart apache2
-
-
Verify that the header is not shown anymore:
# curl -sIL example.com/index.php | grep -c PHP
-
Connect to the Plesk server via SSH.
Note: If direct SSH access to the server is not possible, contact server administrator for further assistance.
-
In
/etc/psa-webmail/horde/horde/php.inior/etc/psa-webmail/roundcube/php.iniset expose_php parameter as below:CONFIG_TEXT: expose_php = Off
-
Restart Apache:
# service httpd restart
-
Verify that the header is not shown anymore:
# curl -sIL webmail.example.com/index.php | grep PHP
Comments
7 comments
Hey !
I have followed the same steps but it wasn't working, in order to accomplish the same, i have manually edit the each fpm php.ini file and reload the same.
Example For X.X
/opt/plesk/php/X.X/etc/php.ini
change expose_php = On to expose_php = Off
where X.X is my php versions.
Hello @Arvind Kumar Madhukar,
Both approaches are correct.
If expose_php is set to Off directly in php.ini or included as php.d/hideheader.ini, PHP version displaying is disabled in these cases.
It can be checked using a query like the following:
# /opt/plesk/php/X.X/bin/php -i | grep expose_php
expose_php => Off => Off
Wenn ich das mit Plesk 18.0.36 mache , passiert nichts.
Meine Schritte:
nano /opt/plesk/php/7.4/etc/php.ini
Ändern in:expose_php = Off
systemctl restart plesk-php74-fpm.service
Tobias Maffert Please let me draw your attention that, if the domains are using PHP FastCGI it is necessary to restart the Apache webserver using one of the following commands:
In case the issue persists after that, consider submitting a ticket to Plesk technical support.
Doing it for webmail does it in files that are marked "Don't Edit". How to do it without the risk of the change being overwritten?
TomBob Changes made in /etc/psa-webmail/horde/horde/php.ini or /etc/psa-webmail/roundcube/php.ini can be overwritten in case of Plesk updates. To make any changes in these files persistent, it is required to follow these steps:
Create a special
php.ini.tpl.localfile:/usr/share/psa-roundcube/config/php.ini.tpl.local/etc/psa-webmail/horde/horde/php.ini.tpl.localAdd the required custom change, for expose_php:
[PHP]
expose_php = Off
Re-install Roundcube/Horde to apply changes.
Leaking PHP information is risky.
These settings should be applied by default.
Please sign in to leave a comment.