How to Hide Version Numbers of Nginx and PHP on a LEMP Server

If you are running one or more websites based on the LEMP stack, a practical security measure is to hide the version numbers of Nginx and PHP. This would prevent hackers from using version-specific security breaches to attack your servers.

Let’s have a look at how to implement this measure on a Vultr WordPress server instance which is based on the LEMP stack. All of the instructions in this article should apply to other LEMP-based Vultr apps as well.

Determine current visibility of version numbers

curl -I [your-server-IP]:80

Then you will see the result, which resembles:

HTTP/1.1 200 OK
Server: nginx/1.10.0
Date: Fri, 06 May 2016 04:11:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.20
Link: <http://[your-server-IP]/wp-json/>; rel="https://api.w.org/"

As you see, on my server, the version number of Nginx is 1.10.0, and the version number of PHP is 5.6.20.

Hide the version number of Nginx

Display Nginx configuration details:

nginx -V

Among those parameters, find the parameter “–conf-path” which defines the location of the Nginx configuration file:

--conf-path=/etc/nginx/nginx.conf

Modify the Nginx configuration file with vi:

sudo vi /etc/nginx/nginx.conf

Add a configuration sentence server_tokens off; within the http { } segment:

http {
    ... 
    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    server_tokens  off;    #<= The sentence is added Here.

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

Save and quit:

:wq

Edit the fastcgi configuration file:

sudo vi /etc/nginx/fastcgi_params

Replace the line:

fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

With:

fastcgi_param  SERVER_SOFTWARE    nginx;

Save and quit:

:wq

Hide the version number of PHP

Modify the PHP configuration file:

sudo vi /etc/php.ini

Find the line:

expose_php = On

Modify it to:

expose_php = Off

Save and quit:

:wq

Finally, put your modifications into effect:

sudo pkill php-fpm
sudo php-fpm
sudo service nginx restart

Verify your modifications:

curl -I [your-server-IP]:80

The version info of Nginx and PHP are no longer visible:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 May 2016 05:16:43 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <http://[your-server-IP ]/wp-json/>; rel="https://api.w.org/"