Why Should Expose PHP be Disabled?

PHP Logo

When looking to buckle down your webserver, expose_php is often something that people suggest you disable. What does expose PHP do and why should it even be disabled? Well it doesn’t really do much, and on its own it really doesn’t do any harm to your server, but it does expose information that a hacker could take advantage of. When expose_php is enabled your server will generate a header called “X-Powered-By”. This header will reveal information about the version of PHP that you are running on your server.

As you can guess, it’s not a setting that gives a hacker access to your system, but if they know what version of PHP you are using, it may be possible for someone to find a vulnerability in your system and gain access. There is no real reason to let the public know this information, so it is best to leave this disabled.

How To Disable Expose PHP

It is very easy to disable this setting. Open up your php.ini file using some text editor. Search the file for “expose_php”, if it exists edit it and if not , add the following line to your ini file.

Save the ini file and restart apache. The setting will now be disabled.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.