By default, client/user/browser see information about your PHP and web server version. If you forgot to update your PHP version, an attacker can use version information to attack or find vulnerabilities in your PHP version.

Let us see how to hide PHP version on a Linux or Unix-like system.
How to find out PHP version using the CLI
You need to use the curl command as follows:
curl -IL https://some-server-ip-OR-domain-name/
curl -IL https://server1.cyberciti.biz/
Sample outputs:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Dec 2017 04:36:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.32
Set-Cookie: PHPSESSID=lf9r4cdc1fqrm5l881ia5p52l2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Robots-Tag: noindex, noarchive
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Whome: l-cbz01
Referrer-Policy: no-referrer-when-downgrade
Hiding your PHP version
You need to edit/create a file named custom.ini as per your Linux/Unix variant. Do not edit php.ini file as it might get updated/replaced with your PHP version. Here is a quick list:
- Alpine Linux and PHP v5.6.xx : /etc/php5/conf.d/custom.ini
- Alpine Linux and PHP v7.xx : /etc/php7/conf.d/custom.ini
- Debian/Ubuntu Linux and PHP v7.xx : /etc/php/7.0/fpm/conf.d/custom.ini
- RHEL/Fedora/CentOS Linux : /etc/php.d/custom.ini
You can always find php directory location using php* and grep command:
$ php -i | more
$ php -i | grep -i -A4 'Additional .ini files parsed'
$ php-fpm5 -i | grep -i -A4 'Additional .ini files parsed'
$ php-fpm7.0 -i | grep -i -A4 'Additional .ini files parsed'
Sample outputs (look for directory name that stores all .ini files):
Configuration File (php.ini) Path => /etc/php/7.0/fpm Loaded Configuration File => /etc/php/7.0/fpm/php.ini Scan this dir for additional .ini files => /etc/php/7.0/fpm/conf.d Additional .ini files parsed => /etc/php/7.0/fpm/conf.d/10-mysqlnd.ini, /etc/php/7.0/fpm/conf.d/10-opcache.ini, /etc/php/7.0/fpm/conf.d/10-pdo.ini, |
Add the following line to custom.ini as per your setup:
############################################## ## this is for Alpine Linux and PHP v5.6.xx ## ############################################## echo 'expose_php = off' >> /etc/php5/conf.d/custom.ini |
Restart/reload PHP
The syntax depends upon your PHP version:
### [ Alpine linux restart php-fpm ] ##
$ sudo /etc/init.d/php-fpm restart
### [ RHEL/CentOS 5.x/6.x restart php-fpm ] ##
$ sudo service php-fpm restart
### [ RHEL/CentOS 7.x restart php-fpm ] ##
$ sudo systemctl restart php-fpm
### [ Debian/Ubuntu Linux latest restart php-fpm ] ##
$sudo service php7.0-fpm restart
### [ FreeBSD restart php-fpm ] ##
$ sudo service php-fpm restart
Verification
Use the curl command again:
$ curl -IL https://some-server-ip-OR-domain-name/
$ curl -IL https://server1.cyberciti.biz/
Sample outputs:
HTTP/1.1 200 OK Server: nginx Date: Tue, 05 Dec 2017 05:17:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: PHPSESSID=6vkcp53a1p99n57lccte9fs0m3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Robots-Tag: noindex, noarchive Strict-Transport-Security: max-age=15768000 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Whome: l-cbz01 Referrer-Policy: no-referrer-when-downgrade
You can also use the nmap command as follows:
sudo nmap -sV --script=http-php-version server-ip-here
sudo nmap -sV --script=http-php-version server1.cyberciti.biz
Sample outputs:
[sudo] password for vivek: Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-05 10:58 IST Nmap scan report for server1.cyberciti.biz (192.168.2.42) Host is up (0.39s latency). rDNS record for 192.168.2.42: 42-2-168-192-staging.balancer.nginx.nixcraft.lan Not shown: 998 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx |_http-server-header: nginx 443/tcp open ssl/http nginx |_http-server-header: nginx Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds |
A warning about hiding PHP version
This technique falls under Security Through Obscurity. Even if nobody outside of your org allowed to find out anything about PHP version, an attacker can still guess or find your PHP version using other methods such as fingerprinting. I strongly suggest that you apply PHP/Nginx/Apache patches on time and write secure code. Updating PHP is pretty simple as per your Linux/Unix variant:
Update PHP and other apps on an Ubuntu/Debian Linux
Type the following apt command/apt-get command:
$ sudo apt update
$ sudo apt upgrade
Update PHP and other apps on a RHEL/CentOS/Fedora Linux
Type the following yum command:
$ sudo yum update
Update PHP and other apps on an Alpine Linux
Type the following apk command:
# apk update && apk upgrade