Webpage details

I don not understand your question very well, you mean “How to force SiteCheck to hide the system details?” or “How to hide the system details in your website?”. I will explain both questions here.

Force SiteCheck to hide the system details.

The version of SiteCheck that you are using only displays the information that is already public both in the source code of your website as well as in the details returned by your web server. You can compare it with a scanner of the “Yello Pages”, if your personal information is published there then SiteCheck will display it. So even if we at Sucuri add a future in SiteCheck to hide the system details a malicious person can gather that information by himself/herself just running a different web scanner.

For example, executing this command [1] you can find the same information of the server for any website that you want. It depends in the security of the server if the information displayed in the output of this command is sensitive or not. If you want to secure your server or website to prevent leaks of sensitive information then jump to the next paragraph.

Hide the system details in your website.

It is a responsibility of the system administrator and web developer to secure a server and website respectively, if SiteCheck or other scanner was able to find sensitive information in one of your sites then you have to hide it by yourself because the information is already public. There are many ways to do this and all of them depend in the technology that you are using.

For example, there is a way to hide the version number of the PHP interpreter as well as the version of the web server installed modifying the configuration of the “php.ini” and “httpd.conf” files respectively. There are also ways to hide sensitive information in some specific projects like WordPress but it is very easy to determine which software is being used in a website when that software is open-source.

If you have time I recommend you to read this article [2] where you can find information about how to harden your WordPress site, a quick search on Internet [3] returns several blog posts with relevant information too. And finally this website [4] has some generic tips and tricks that you can follow to hide sensitive information from malicious people.

[1] curl --head 'http://example.com/'
[2] http://codex.ww.wp.xz.cn/Hardening_WordPress
[3] https://www.google.com/search?q=how+to+harden+wordpress
[4] http://www.serverhardening.com/

You can hide the version number of the Apache web server and the PHP interpreter, but you can not hide the version number of WordPress because it is retrieved through a guess game.

In the image you can see that SiteCheck identified the number “4.0.1” through this file [1], it basically compares the content of that file with every version of WordPress released so far, if one of the files has the same content then it uses the version of the archive where the comparison succeeded.

As I explained in my previous comment, you can not hide information that is already public, in this case the information that SiteCheck is using to determine the version of your WordPress installation is provided by the public archives released by WordPress itself. For example, the content of that “common.js” in version “4.0.1” is this [2], if you compare that file with the one found in your website you will notice that the code is the same, that is how SiteCheck and other web scanner work.

You can add random data in most of the core WordPress files to break the comparison process though. You can try to add a commented line in that “common.js” file and expect that the comparison performed by SiteCheck fails, but it will try to use a different file so you will end up modifying (almost) 100% of the core files which are more than “1,168 files”, it is up to you.

[1] /wp-admin/js/common.js
[2] http://core.svn.ww.wp.xz.cn/tags/4.0.1/wp-admin/js/common.js

@hhkb3896 to hide the information that refers to cPanel you have to either block public access to port “2082” [1] or change the revision number of the assets loaded by that page, this can be done by appending random data to the files referenced there, I can not point you to a specific file in the server because cPanel has a different setup from host to host.

To hide the version number of PHP you have to add/change the attribute “expose_php = Off” in the “php.ini” file loaded by the interpreter during execution, you can find the location of this file using this command [2].

To hide the version number of Apache (which you already did) you have to add/change the attribute “ServerTokens Prod” in “httpd.conf” file, you can find the location of this file using this command [3] or this [4].

To hide the version number of RevSlider you have to delete or change to an empty string the “GlobalsRevSlider::SLIDER_REVISION” constant from all the function calls executed in the “base.class.php” file. Or you can also change the value of that constant define in the “GlobalsRevSlider” class [5].

As for the rest of the information shown in the scanner results, you will have to be creative to hide that, I personally would not waste my time doing that because you would end up falling in the path of “Security Through Obscurity” [6] instead of mitigating the enumeration and real attacks the right way, you should install a firewall instead. There are many options out there and modesty aside Sucuri has one of the best WAF “(Web Application Firewall)” [7] in the market.

[1] http://h2k.network:2082/
[2] php -i | grep 'Configuration File'
[3] apachectl -V | grep -i config_file
[4] httpd -V | grep -i config_file
[5] grep -rn 'GlobalsRevSlider' plugins/revslider
[6] http://en.wikipedia.org/wiki/Security_through_obscurity
[7] https://sucuri.net/website-firewall/

@hhkb3896 Yes, the firewall will hide that information but it is not really necessary, that will be just a side affect of the other features available in the software. The real value of the firewall is that it will protect your site from unauthorized access and a big range of attacks.

If a malicious user finds that your site is using a vulnerable version of cPanel, PHP, Apache, etc and he/she tries to execute an attack to exploit that vulnerability the firewall will block that attack, this is why there is no need to hide that (sensitive) information if you already have a firewall, if there is no firewall protection there it is a good idea to hide that information to reduce the risk.

Imagine that you buy a luxurious house in an exotic island, malicious people could try to go there knowing the latitude/longitude and/or address of the property, if you hire guards you will not need to worry about this malicious people because the guards will prevent them to enter the house/island, that is the same as the firewall.