Why Should expose_php be Disabled in the php.ini?

By On
I am seeing recommendations that you should disable the expose_php setting in the PHP.ini file. What is the importance of this? Why is this dangerous for you to use on your web server?

1 Answer

- Advertisment -
SEMrush
Answered By Dan On
When looking to buckle down your webserver, expose_php is often something that people suggest you disable. What does expose PHP do and why should it even be disabled? Well it doesn't really do much, and on its own it really doesn't do any harm to your server, but it does expose information that a hacker could take advantage of. When expose_php is enabled your server will generate a header called "X-Powered-By". This header will reveal information about the version of PHP that you are running on your server.As you can guess, it's not a setting that gives a hacker access to your system, but if they know what version of PHP you are using, it may be possible for someone to find a vulnerability in your system and gain access. There is no real reason to let the public know this information, so it is best to leave this disabled.

How To Disable Expose PHP

It is very easy to disable this setting. Open up your php.ini file using some text editor. Search the file for "expose_php", if it exists edit it and if not , add the following line to your ini file.
expose_php = Off
Save the ini file and restart apache. The setting will now be disabled.