Learn how to disable server signature by editing .htaccess file of WordPress blog in this tutorial.Do not invite WordPress Hackers by revealing your blog Server Signature details. Many people don’t know that they are revealing their website highly sensitive information in open web. It’s easy to get server signature of your website by anyone using websites like whatsmyip or Firewallmonitor. Continue reading this post in order to strengthen your WordPress Security.
In this post, I will discuss about how to disable your wordpress blog server signature by editing .htaccess. Before hiding this sensitive information you need to first understand what is server signature and why hiding web server signature is so important.
What is .htaccess file?
A .htaccess (hypertext access) file is a directory-level configuration filesupported by several web servers, that allows for decentralized management of web server configuration. .htaccess files are a simple ASCII text file with the name .htaccess. It is not an extension like .html or .txt. The entire file name is .htaccess.
Click below image to view full size.
Using an .htaccess file, you can:
- Customize the Error pages for your site.
- Protect your site with a password.
- Enable server-side includes.
- Deny access to your site based on IP.
- Change your default directory page (index.html).
- Redirect visitors to another page.
- Prevent directory listing.
- Add MIME types.
What is server signature?
By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks. Run the test and you will find informations like below if Server Signature is ON.
Apache/2.2.20(Ubantu)Server or Apache Phusion_Passenger/X.0.1X mod_bwlimited/1.X
Web Server: Apache Programming Language: W3 Total Cache/0.X.X.1
HTTP response header information also reveals PHP version you are using on your website. This HTTP response header information is regulated by ServerTokens in Apache Server. Revealed information about the PHP version through HTTP response headers looks like:
X-Powered-By – PHP/5.4.4-XxX-XXxxX
And if your website build on WordPress and you are using cache plugin it says
X-Powered-By – W3 Total Cache/0.X.X.1
Why hiding web server signature so important?
Error pages of your website like 404 not found, 403 access forbidden pages contains server signature i.e. server version number, operating system etc., such information could be misused by attackers. Mostly servers or operating systems has some loopholes that could be misused by attackers.
If your server’s signature is ON. A server signature is the public identity of your web server and contains sensitive information that could be used to exploit any known vulnerability, so it’s considered a good practice to turn it OFF as you don’t want to disclose what software versions you are running.
How to Turn OFF Server Signature Details by Editing .htaccess?
Ok now let’s see how to hide ServerSignature details by editing .htaccess file which resides in WordPress root file.
- Login to your FTP Account.
- Navigate to Public_html
- Right click and view/edit.
- First make a backup copy by copying contents of .htaccess to notepad and save in desktop.
- Now, add given below code at end of .htaccess file on WordPress
# START - Disable server signature # ServerSignature Off # END - Disable server signature #
- Save the file and exit.
Again run the Signature test and you will find the sensitive details are not displayed.