Advanced Footprints Series: X-Powered-By Headers

 
LAST UPDATE: August 2017

In our last post we talked about HTTP headers such as the Server Header and the typical values we can expect they carry for servers running WordPress. But as we hinted previously, the Server Header is not the only HTTP header that gives out important information about servers hosting the websites. This time around, we’ll take a look at what other information we can expect to receive inside HTTP headers that webservers send us.

Let’s start with a quick refresher in case you haven’t read our previous blog post (though we highly recommend it). When we surf the internet, our browser (Firefox, Chrome, etc.) asks for a webpage from a webserver. A webpage is nothing more than information – from the photos and graphics to the text. There’s plenty we don’t see – some of this is code which instructs our browser on how to display the page, cookies for traffic and visitor analytics, metadata about the page and the server (often meant for search engines), etc. Metadata gets sent to our browser in the form of HTTP headers.

In the last post we talked specifically about the Server Header, today we’ll continue and take a look at another header that can easily be used to footprint webservers – specifically the “X-Powered-By” header.

As you might guess, this tells us what technology is powering the website we’re currently visiting. With WordPress sites this is a version of PHP, other examples might be Microsoft’s ASP.NET, JBoss, etc.

We can easily check this header with Firefox for any website, just as we previously did with the Server Header. On a website we right click anywhere in a blank space and select “Inspect Element”. We select the “Network” tab and reload the webpage – this will list all the traffic which flows from the webserver to our browser. We find the first item, this is the HTML, the basic structure of the website. In the right half of the Inspect pane we select the headers tab and scroll down to find the “X-Powered-By” header.

network_tab

As with last time, we’re using data from Shodan.io, a search engine for finding specific types of computers. This allows us to easily analyze data from 100.000 servers running WordPress.

We see that most servers return the X-Powered-By header, only slightly more than a fourth don’t:

is_powered_by_set

And we can check the most common values for the X-Powered-By header:

x_powered_by

This gives us the raw number of servers which return a specific header. Here we should mention that the first entry, PleskLin, comes from servers setup with the Plesk webhosting automation software. Let’s take a look at what percentage of these servers identify as being Powered-By a version of PHP:

powered_by_php

Out of all of these, almost all of them run PHP 5:

php_version

The subversions are considerably more varied:

php_subversion

So the most common version is PHP 5.3, though this is also split between subversions. But what happens if we go back and consider all servers hosting WordPress?

Well, 28% of servers don’t pass the X-Powered-By header, the rest pass this header, but as we saw earlier, they pretty much always specify the version of PHP down to at least one, usually two decimal places (so PHP 5.3.1, for instance). Some even add the server’s operating system on the end. So if we take the largest group, that’s PHP 5.3, it actually represents a total of 27.35% of all servers, these are then split among subversions, with 5.3.29 being the most common at the time of writing this post.

php_and_os

To put it another way – the typical server running WordPress doesn’t pass the X-Powered-By header at all. In second place are servers which pass some specific version of PHP 5.3, at the moment the largest group being 5.3.29, these represent around 6% of all of the analyzed WordPress servers.

The Conclusion

The most common behavior for a WordPress server is to not even pass the X-Powered-By header – about a third of all your blogs shouldn’t be returning this header at all, in fact, with most of the headers we’ve discussed in this and the previous blog post, the common opinion among web developers is that they are simply not needed – most modern browsers ignore them.

You can easily check what your PBN blogs pass as a X-Powered-By header by using the steps described above. Don’t be surprised if they pass the same thing for all of their blogs, even if this same thing is not passing the header at all.

For users of Easy Blog Networks, don’t worry – we’ve got you covered. We pass different headers in a ratio which closely mimics the ratios we’ve talked about here. Around a third of our blogs don’t pass the X-Powered-By header, and with those which do, they pass different headers with varied PHP versions.

Because these versions are in constant flux, they tend to slowly go up as administrators update versions of PHP, we make sure that the headers our servers pass are slowly changing as well.

all_headers

One thought on “Advanced Footprints Series: X-Powered-By Headers

  1. Colin @SERPed

    #BOOM!

    I’m not tech enough to put a smarter comment than that… blown away at the depth gone to ensuring the servers are ‘representative’ of the Western World server setup. The 1st post in the series was awesome, this continued that trend and I can’t wait for the 3rd post in the ‘Advanced Footprint Series’ – Thank you Nejc for publishing this.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *