Learn How To Hide Version Numbers of Nginx and PHP on a LEMP Server

January 5, 2020

Table of Contents

If you are running one or more websites based on the LEMP stack, a practical security measure is to hide the version numbers of Nginx and PHP. This would prevent hackers from using version-specific security breaches to attack your servers.

Let’s have a look at how to implement this measure on An ITWeb.Services WordPress server instance which is based on the LEMP stack. All of the instructions in this article should apply to other LEMP-based IT Web Services apps as well.

Determine current visibility of version numbers

curl -I [your-server-IP]:80

Then you will see the result, which resembles:

HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Fri, 06 May 2016 04:11:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.20
Link: <http://[your-server-IP]/wp-json/>; rel="https://api.w.org/"

As you see, on my server, the version number of Nginx is 1.10.0, and the version number of PHP is 5.6.20.

Hide the version number of Nginx

Display Nginx configuration details:

nginx -V

Among those parameters, find the parameter “–conf-path” which defines the location of the Nginx configuration file:

--conf-path=/etc/nginx/nginx.conf

Modify the Nginx configuration file with vi:

sudo vi /etc/nginx/nginx.conf

Add a configuration sentence server_tokens off; within the http { } segment:

http {
    ... 
    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    server_tokens  off;    #<= The sentence is added Here.

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

Save and quit:

:wq

Edit the fastcgi configuration file:

sudo vi /etc/nginx/fastcgi_params

Replace the line:

fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

With:

fastcgi_param  SERVER_SOFTWARE    nginx;

Save and quit:

:wq

Hide the version number of PHP

Modify the PHP configuration file:

sudo vi /etc/php.ini

Find the line:

expose_php = On

Modify it to:

expose_php = Off

Save and quit:

:wq

Finally, put your modifications into effect:

sudo pkill php-fpm
sudo php-fpm
sudo service nginx restart

Verify your modifications:

curl -I [your-server-IP]:80

The version info of Nginx and PHP are no longer visible:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 May 2016 05:16:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <http://[your-server-IP ]/wp-json/>; rel="https://api.w.org/"

Need help?

Do you need help setting up this on your own service?
Please contact us and we’ll provide you the best possible quote!