Welcome to End Point’s blog

Ongoing observations by End Point people

Prevent MediaWiki showing PHP version with new extension: ControlSpecialVersion

Sok Kwu Wan

I recently created a new MediaWiki extension named ControlSpecialVersion whose purpose is to allow some control over what is shown on MediaWiki's "special" page Special:Version. The latest version of this extension can be downloaded from You can see it in action on the Special:Version page for The primary purpose of the module is to prevent showing the PHP and database versions to the public.

As with most MediaWiki extensions, installation is easy: download the tarball, unzip it into your extensions directory, and add this line to your LocalSettings.php file:

require_once( "$IP/extensions/ControlSpecialVersion/ControlSpecialVersion.php" );

By default, the extension removes the PHP version information from the page. It also changes the PostgreSQL reported version from its revision to simply the major version, and changes the name from the terrible-but-official "PostgreSQL" to the widely-accepted "Postgres". Here is what the Software section of looks like before and after the extension is used:

Note that we are also eliding the git revision information (sha and date). You can also do things such as hide the revision information from the extension list, remove the versions entirely, or even remove an extension from showing up at all. All the configuration parameters can be found on the extension's page on

It should be noted that there are typically two other places in which your PHP version may be exposed, both in the HTTP headers. If you are running Apache, it may show the version as part of the Server heading. To turn this off, edit you httpd.conf file and change the ServerTokens directive to ProductOnly. The other header is known as X-Powered-By and is added by PHP to any pages it serves (e.g. MediaWiki pages). To disable this header, edit your php.ini file and make sure expose_php is set to Off.

While these methods may or may not make your server safer, there really is no reason to expose certain information to the world. With this extension, you at least have the choice now.


Federico said...

If your purpose is to hide the information from potential attackers, you should probably start from the API:

Jon Jensen said...

Good point, Federico!

Greg Sabino Mullane said...

Thanks, Federico, I will add something to modify things via the APIQuerySiteInfoGeneralInfo hook in a future version. Until then, $wgEnableAPI = false; is the quick fix. :)

Greg Sabino Mullane said...

Version 1.4 has been released with the API changes.