Remove X-Powered-By Headers in Plesk

Last updated on:

This article is applicable to VPS or Dedicated server owners which use Plesk (Linux) as their hosting management system.

When you host your websites with Plesk (Linux), it by default adds “X-Powered-By” response headers to each HTTP request. This problem usually is server-wide, meaning it could affect all of your websites if you have a Plesk server.

The presence of these headers is not only a security flaw, but it also adds additional bytes to each HTTP request, when a visitor is viewing your site content. And by “each” I mean that every image, javascript or css file downloaded from your website will be returned with these headers – which all of course sums up.

Check if your server is affected by this problem

#1 Open your website via Google Chrome browser, right click on the window and press on “Inspect” – this will open up Google Chrome Developer Tools.

#2 Click on the “Network” tab, then choose “Doc” in the request filter and select the first HTML document loaded from your website domain

#3 Now look at the “Headers” tab of the particular request and inspect the “Response Headers” section. Look for “X-Powered-By” headers – if you see at least one of these, you know for sure – this security flaw affects you.

How to remove X-Powered-By headers from a Plesk server

First login to your Plesk server via SSH as a root user.

Remove X-Powered-By: PleskLin header

For this you will need to edit the Plesk settings file (panel.ini). Use the linux command below to open this file:

plesk conf panel.ini

Now, as with the usual “vi” editor, press the “INSERT” key to edit the file contents and append these lines to the file (or just the xPoweredByHeader variable under the [webserver] section if it already exists on this file):

[webserver]
xPoweredByHeader = off

Exit the editing mode by pressing an ESC key. Type in the console :wq! afterwards and press enter to save the file and exit the file editor.

As a final step – recreate the web-server configuration for domains with this command:

plesk repair web -domains-only

Remove X-Powered-By: PHP header

Check what kind of PHP versions are installed on your server. This command should output something like “8.1, 8.2, 8.3”:

dir /opt/plesk/php/

For each PHP version you will need to add PHP configuration snippet separately.

Repeat these further steps for each of the listed PHP versions:

#1 Check if a PHP version has the “expose_php” directive enabled – use this command, but replace the X.X in it with a PHP version which is installed on your server:

cat /opt/plesk/php/X.X/etc/php.ini | grep expose_php

#2 If you see it enabled, execute this command which will create a PHP configuration snippet “hideheader.ini” with a necessary PHP setting to disable the “expose_php” directive and remove PHP version from the HTTP headers:

echo 'expose_php = off' > /opt/plesk/php/X.X/etc/php.d/hideheader.ini

Reboot your server

Last step – restart your server with a “reboot” command. You will experience a little bit of downtime but this will be the easiest way to reload PHP configuration for all websites.

Leave a Comment on Remove X-Powered-By Headers in Plesk
About the author
Edgars Abolins Edgars Abolins, author at DoinWP.com
I'm a full-stack WordPress developer with a 10+ years of solid experience in the core web development languages, development processes / techniques, web security, Linux server management and with pretty good understanding about proper semantics, UX/UI, technical SEO, good design and basic knowledge of company leadership. On top of that - a distant 5+ years experience as a computer and electronics repair technician which often enables me to understand also how the things work at the hardware level.
Your feedback matters!…
I hope you found this article helpful. Feel free to add some comments - your feedback is very important to me, as it drives my motivation and helps me to improve the content.