Where is Server_Tokens Off and How to Disable It

When you run a WordPress website, security should be a top priority. One common security step is to disable something called Server Tokens. You might wonder, “What are Server Tokens, and why should I disable them?”

This guide will explain what they are, where to find them, and how to turn them off.

What Are Server Tokens?

Server Tokens are small pieces of information sent by your web server. These tokens tell browsers (and sometimes hackers) which software and version your server uses. For example, it might say something like this:

Server: Apache/2.4.41 (Ubuntu)

This tells anyone who visits your website that you’re using an Apache server with version 2.4.41 running on Ubuntu. Hackers can use this information to find weaknesses in your server’s security. This is why it’s a good idea to hide these tokens.

By disabling Server Tokens, you reduce the information hackers can see. This makes it harder for them to attack your site.

Where Are Server Tokens in WordPress?

Here’s the critical part — WordPress itself does not control Server Tokens. The web server controls them. This means you must adjust your server’s settings to turn them off.

The two most common web servers used with WordPress are:

1. Apache
2. Nginx

Both of these servers have their way of handling server tokens. Below, we’ll explain how to disable Server Tokens for each one.

How to Disable Server Tokens on Apache

If your WordPress site runs on an Apache server, follow these steps to disable Server Tokens.

Step 1: Access Your Server

You’ll need access to your server’s configuration files. You can do this through SSH or a cPanel File Manager. Most hosting providers give you access to the server via a control panel.

Step 2: Open the Apache Configuration File

The file you need is called httpd.conf or sometimes apache2.conf, depending on your server setup. You can find it in one of these locations:

• /etc/httpd/httpd.conf
• /etc/apache2/apache2.conf

Step 3: Add the Directive to Disable Server Tokens

Once you’ve opened the file, look for this line:

ServerTokens Full

Change it to:

ServerTokens Prod

The Prod option hides the version details and only shows “Apache” without the version number.

Step 4: Restart Apache

After you’ve made the changes, restart your Apache server to apply them. Use the following command:

sudo systemctl restart apache2

You can now check if the tokens have been removed using an online tool like SecurityHeaders.com.

How to Disable Server Tokens on Nginx

If your WordPress site is running on Nginx, follow these steps to disable Server Tokens.

Step 1: Access Your Server

Like Apache, you’ll need access to your server’s configuration files. This can be done through SSH or a cPanel File Manager.

Step 2: Open the Nginx Configuration File

The file you’re looking for is called nginx.conf. It’s usually found in one of these locations:

• /etc/nginx/nginx.conf
• /usr/local/nginx/conf/nginx.conf

Step 3: Add the Directive to Disable Server Tokens

Find the following section in the configuration file:

server_tokens on;

Change it to:

server_tokens off;

This directive hides the version number and details about your Nginx server.

Step 4: Restart Nginx

To apply the changes, restart Nginx using this command:

sudo systemctl restart nginx

You can verify that the server tokens are disabled by checking SecurityHeaders.com.

Can I Disable Server Tokens Using a Plugin?

If you don’t have access to your server’s configuration files, you may be able to hide server information using a WordPress security plugin. While this method isn’t foolproof, it’s better than doing nothing.

Recommended Plugins:

1. iThemes Security
2. Wordfence Security

These plugins can hide version numbers and prevent unnecessary information from being revealed in your site’s headers.

How to Use a Plugin:

1. Install and activate one of the security plugins.
2. Go to the plugin’s settings and look for an option to “Hide WordPress Version” or “Hide Server Details.”
3. Enable the option and save the changes.

Note: Using a plugin may not remove all server tokens since some information is sent by the server, not WordPress.

How to Check if Server Tokens Are Disabled

After making these changes, you’ll want to confirm that the tokens are disabled. Here’s how you can check:

1. Use Browser Developer Tools: Right-click on a page and select Inspect. Go to the Network tab and refresh the page. Click on the first request (usually the homepage) and look at the Response Headers. Check for “Server”. If it’s blank or doesn’t show the version, the tokens are disabled.
2. Use SecurityHeaders.com: Enter your website’s URL to show if your server reveals information.

Final Thoughts

Disabling server tokens is a simple but important step to improve your WordPress site’s security. By following the methods for Apache, Nginx, or using plugins, you can prevent hackers from knowing what software you’re using.

With less information exposed, hackers have a harder time exploiting vulnerabilities. This makes your site more secure and professional. Whether running a small blog or a large e-commerce store, it’s smart to turn off server tokens.