How to fix info disclosure server on WooCommerce

Steps for WooCommerce

1. WooCommerce runs on WordPress, which runs on a web server you (or your host) control — the fix lives at the server or hosting level, not inside WordPress itself.
2. For Apache hosting: connect via SSH or your host's File Manager, open (or create) the `.htaccess` file in your site root, and add: `Header unset Server` and `Header always unset Server`. Ensure `mod_headers` is enabled.
3. For nginx hosting: ask your host or edit `/etc/nginx/nginx.conf` (or the server block for your site) — add `server_tokens off;` inside the `http {}` or `server {}` block, then run `nginx -s reload`.
4. For managed WordPress hosts (WP Engine, Kinsta, Flywheel, SiteGround): open a support ticket requesting that the `Server` header be removed or suppressed — many do this automatically or have a one-click security hardening option in their dashboard.
5. Alternatively, install the 'HTTP Headers' plugin (by WebFactory Ltd) from the WordPress plugin directory: Plugins → Add New → search 'HTTP Headers' → Install & Activate → navigate to Settings → HTTP Headers → Response Headers tab → add a rule to remove the `Server` header.
6. Verify with `curl -I https://yourstore.com` and check that `Server` is absent or generic.

## Apache (.htaccess or httpd.conf)
ServerTokens Prod
ServerSignature Off
Header unset Server

## nginx (nginx.conf — inside http{} or server{} block)
server_tokens off;

## IIS (web.config — inside <system.webServer>)
<security>
  <requestFiltering removeServerHeader="true" />
</security>

## Cloudflare Transform Rule (via dashboard UI)
# Rules → Transform Rules → Modify Response Header
# Operation: Remove
# Header name: server

What is info disclosure server?

Every time a browser (or a hacker's scanner) requests a page from your store, your web server sends back a response that often includes a `Server` header — a small piece of text that announces exactly what software is running, right down to the version number (e.g., `Microsoft-IIS/10.0`, `Apache/2.4.51`, or `nginx/1.18.0`). This is called information disclosure. Removing or blanking that header is a simple configuration change that stops your store from broadcasting its technology stack to anyone who looks.

Attackers routinely scan millions of sites looking for specific server versions with known security vulnerabilities — your `Server` header is a free map that tells them exactly which exploits to try. Exposing it significantly lowers the effort required to target your store, putting customer data, payment information, and your reputation at risk. OWASP lists this pattern under A05:2021 Security Misconfiguration, one of the most common causes of real-world breaches. Removing the header doesn't fix every vulnerability, but it removes the signpost that guides attackers to them, and it is expected by PCI DSS compliance auditors.

See the complete Info disclosure server guide for every platform and the full background.