The topic was raised in the Mauritius Internet Users mail list where Shelly asked about a non-technical method to identify applications on which a website is running. SM suggested her to try Wappalyzer browser extension. I use that too, since a long time.

While I wrote a blog post about Wappalyzer, JoKi commented and reminded me about web security :-) That’s yet another topic that we discussed during the MSCC Code & Coffee sessions. Aww! I miss those Wednesday talks.

What happened to my app versions?

After migrations and several WordPress upgrades, I had my settings overridden. Now’s the perfect time to write this post as it is fresh in the head. So, how to hide your website applications version?

To make my webserver, Nginx, be less verbose I will have to add server_tokens off; in the configuration file. It should not be in nginx.conf file but instead in individual site configurations (e.g under ../sites-enabled).

Next, let’s cut the verbosity of PHP. We set expose_php = Off in the php.ini file.

inote:/home/ish # lynx -head -mime_header https://legacy.hacklog.in
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 28 Jun 2015 16:01:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding, Cookie
Cache-Control: max-age=3, must-revalidate
WP-Super-Cache: Served supercache file from PHP

Ahaan! Clean enough. No more webserver & PHP versions shown.

Lastly, I searched how to hide the WordPress version number. Oh! Before you proceed with code edits, please remove readme.html from your WordPress root. Thank you :-) Nirvan Pagooah, a young fellow & security enthusiast, suggested me this long time back.

There is nice article by Raelene Wilson about hiding the WordPress number. However, that would require you manually edit your functions.php file. It works! Though a simpler method would be finding a plugin that does the job. That way, the code edit does not get overridden when WordPress updates.

WordPress version hiding is featured in a plugin name Umbrella Protection. It’s simple to set up & configure. Oh, and it works :-)

While the list of libraries and applications appear, notice there are no version numbers.