Hide PHP Version removes the X-Powered-By response header that PHP adds by default, hiding your exact PHP version from anyone inspecting your HTTP responses. Pairs naturally with Hide WordPress Version to deny scanners the easy fingerprints they look for.
What this feature does
By default, PHP advertises itself in an HTTP response header called X-Powered-By. The value typically looks like X-Powered-By: PHP/8.2.10. Anyone inspecting your responses (browsers, curl, automated scanners) sees your exact PHP version.
This is mostly harmless on its own, but combined with Hide WordPress Version and the rest of the security module, it removes one more easy fingerprint scanners use to find sites running specific vulnerable versions.
This setting writes .htaccess rules that strip the X-Powered-By header from every response.
Hiding the version doesn’t fix vulnerabilities; it just makes them harder to find through automated mass scanning. Always combine version-hiding with an actual update strategy. A hidden but outdated install is more vulnerable than a visible but current one.
How to enable it
- Open AdminEase › Security. Click AdminEase in the WordPress admin menu, then switch to the Security tab.
- Toggle Hide PHP Version on. Save settings.
-
Verify.
Test with
curl -I https://yoursite.com/. The response should no longer include anX-Powered-Byheader.
Settings reference
| Setting | What it does | Default |
|---|---|---|
| Hide PHP Version | Writes Header unset X-Powered-By to .htaccess, removing the header from all responses. |
Off |
What gets written to .htaccess
# BEGIN AdminEase
<IfModule mod_headers.c>
Header unset X-Powered-By
Header always unset X-Powered-By
</IfModule>
# END AdminEaseThe two directives together ensure the header is removed both from successful responses and from error responses. Without the always variant, error responses (e.g. PHP-generated 500 errors) might still include the header.
What happens behind the scenes
AdminEase writes the unset directives in a managed .htaccess block. Apache’s mod_headers processes the response and strips the header before it reaches the client.
For a more permanent fix, you can also set expose_php = Off in php.ini, which prevents PHP from setting the header in the first place. AdminEase’s .htaccess approach works at the response layer and doesn’t require php.ini access, which is convenient on shared hosting.
Troubleshooting
The header is still being sent
Three things to check: confirm mod_headers is enabled on your Apache install (most managed hosts do); confirm .htaccess is being read; check that no caching layer or CDN is re-adding the header. Run curl -I https://yoursite.com/ and look at the actual response headers.
I’m on Nginx
Nginx ignores .htaccess. Ask your host to add fastcgi_hide_header X-Powered-By; to your server config. Or set expose_php = Off in php.ini, which works regardless of web server.
A scanner still detects my PHP version
Scanners use multiple fingerprints: X-Powered-By is one of the easiest, but they also test for behaviour differences between PHP versions, look at session-cookie names, and probe known PHP-specific paths. This setting handles the easy header. For deeper hardening, also set expose_php = Off in php.ini and disable PHPSESSID cookie disclosure.