Security fix guide
HIGH

PHP Version Exposed

Your server is broadcasting which version of PHP it runs. Learn how to hide it in a few steps.

What is this?

Every time someone visits your site, your server sends back a small packet of information called HTTP headers. One of those headers — called X-Powered-By — announces something like "PHP/8.1.12". It's like leaving a sticky note on your front door that says exactly which lock brand and model you use. Nobody legitimate needs that information, but it's very useful for anyone planning a break-in.

Why does it matter?

Different PHP versions have different known security holes. When attackers know your exact version, they can look up the CVE database for that specific version and target the known weaknesses directly. Hiding your PHP version doesn't fix those underlying vulnerabilities — but it removes the roadmap. It's one of the fastest wins in WordPress security because it takes two minutes and has zero downside.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Log in to cPanel and open File Manager.

2

Navigate to your site's root folder (usually public_html).

3

Open the .htaccess file. If it doesn't exist, create a new file and name it .htaccess.

4

Add this line at the top of the file:

Header unset X-Powered-By
5

Save the file.

Note: Some shared hosting providers manage this at the server level. If the scan still shows PHP version after this step, contact your host and ask them to disable expose_php.

For developers / SSH access
1

Connect to your server via SSH.

2

Find your active php.ini file:

php --ini | grep Loaded
3

Open the file and find the expose_php setting. Change it to:

expose_php = Off
4

Restart PHP-FPM (adjust the version number to match yours):

sudo systemctl restart php8.1-fpm

Note: Alternatively, add `Header unset X-Powered-By` to your .htaccess or Apache VirtualHost config instead of editing php.ini.

How to verify the fix

Re-run your scan and look for a "pass" on the PHP Version check. You can also check manually by opening your browser's developer tools (F12), reloading your site, and inspecting the response headers under the Network tab — the X-Powered-By header should be absent.

Re-run your scan to confirm this is resolved →

Related issues

Server Version in HTTP Headers

Your web server is announcing its software and version number. Learn how to suppress it.

Sensitive Files Publicly Accessible

WordPress ships with files that reveal your site version. Learn how to block public access in minutes.

WordPress Version in Page Source

Your WordPress version is visible in every page's HTML. Learn how to remove it with one line of code.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Simple ($49)