Remove X-Powered-By Headers in Plesk

When you host your websites with Plesk (Linux), it by default adds “X-Powered-By” response headers to each HTTP request. This problem usually is server-wide, meaning it could affect all of your websites if you have a Plesk server.

The presence of these headers is not only a security flaw, but it also adds additional bytes to each HTTP request, when a visitor is viewing your site content. And by “each” I mean that every image, javascript or css file downloaded from your website will be returned with these headers – which all of course sums up.

Check if your server is affected by this problem

#1 Open your website via Google Chrome browser, right click on the window and press on “Inspect” – this will open up Google Chrome Developer Tools.

#2 Click on the “Network” tab, then choose “Doc” in the request filter and select the first HTML document loaded from your website domain

#3 Now look at the “Headers” tab of the particular request and inspect the “Response Headers” section. Look for “X-Powered-By” headers – if you see at least one of these, you know for sure – this security flaw affects you.

How to remove X-Powered-By headers from a Plesk server

First login to your Plesk server via SSH as a root user.

Remove X-Powered-By: PleskLin header

For this you will need to edit the Plesk settings file (panel.ini). Use the linux command below to open this file:

Now, as with the usual “vi” editor, press the “INSERT” key to edit the file contents and append these lines to the file (or just the xPoweredByHeader variable under the [webserver] section if it already exists on this file):

Exit the editing mode by pressing an ESC key. Type in the console :wq! afterwards and press enter to save the file and exit the file editor.

As a final step – recreate the web-server configuration for domains with this command:

Remove X-Powered-By: PHP header

Check what kind of PHP versions are installed on your server. This command should output something like “8.1, 8.2, 8.3”:

Note that for each PHP version you will need to edit PHP configuration file separately.

Repeat these further steps for each of the listed PHP versions:

#1 Check if a PHP version has the “expose_php” directive enabled – use this command, but replace the X.X in it with a PHP version which is installed on your server:

#2 If you see it enabled, disable it by changing this directive in the PHP configuration file. Open php.ini file as usual via the “vi” editor (do not forget to change the X.X in this linux command with an actual PHP version on your server):

#3 When on the “vi” editor, first type /expose_php and press [ENTER] to find the corresponding line you need to change, then press an [INSERT] key and change the value of this directive from “On” to “Off“. After you’re done, press an [ESC] key, type :wq! and press the [ENTER] key to save the changes and exit the editor.

Reboot your server

Last step – restart your server with a “reboot” command. You will experience a little bit of downtime but this will be the easiest way to reload PHP configuration for all websites.

Leave a Comment on Remove X-Powered-By Headers in Plesk
About the author
I'm a full-stack WordPress developer with a 10+ years of solid experience in the core web development languages, development processes / techniques, web security, Linux server management and with pretty good understanding about proper semantics, UX/UI, technical SEO, good design and basic knowledge of company leadership. On top of that - a distant 5+ years experience as a computer and electronics repair technician which often enables me to understand also how the things work at the hardware level.
Your feedback matters!…
I hope you found this article helpful. Feel free to add some comments - your feedback is very important to me, as it drives my motivation and helps me to improve the content.