Did you know that WordPress gives away little hints about your server? These hints are called server tokens. They might seem harmless, but they can help hackers figure out how to attack your site. Disabling server tokens is a simple way to improve your website security.
Table of Contents
What Are Server Tokens?
Server tokens are small pieces of information that your server sends in HTTP headers. They reveal details like:
- The server type (Apache, Nginx, etc.)
- The PHP version
- The WordPress version
Hackers use this data to find vulnerabilities. If they see an outdated PHP version, for example, they might use known exploits to attack your website.
Why Disable Server Tokens?
By disabling them, you make it harder for attackers to guess your setup. It’s a small but valuable step towards strengthening your site’s security.
How to Disable Server Tokens in WordPress
Let’s go through a few simple ways to disable server tokens.
1. Remove WordPress Version from Meta Tags
By default, WordPress adds a meta tag in your site’s header showing its version. To remove it:
<?php
remove_action('wp_head', 'wp_generator');
?>
Add this line to your functions.php file in your theme.
2. Disable PHP Version Exposure
PHP also reveals its version in the response headers. To disable this:
- Find your php.ini file.
- Look for this line:
expose_php = On
- Change it to:
expose_php = Off
- Save the file and restart your server.
This will hide your PHP version from prying eyes.
3. Hide Server Details in Apache or Nginx
Your server might also expose details about itself. You can prevent this.
For Apache:
- Edit the apache2.conf or httpd.conf file.
- Add these lines:
ServerSignature Off ServerTokens Prod - Save and restart Apache.
For Nginx:
- Edit the nginx.conf file.
- Add this line inside the
http{}block:server_tokens off;
- Save the file and restart Nginx.
Bonus: Use a Security Plugin
If you’re not comfortable editing files, install a security plugin. Plugins like Wordfence or iThemes Security help hide this data without manual work.
Final Thoughts
Hiding server tokens won’t make your site 100% hack-proof, but it removes easy clues for attackers. Think of it like locking your doors—it’s one of many steps to stay safe.
Take a few minutes to apply these changes today. A little effort now can prevent big security problems later. Stay safe and keep your WordPress site secure!
