Hiding PHP file extension

Do you want to hide your web site’s server script identity ? If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.

Here is a small technique for you, you can use .html or .asp file to work as a php file i.e. use .asp or .html extension instead of .php. You just need to create a .htaccess file and put the following code in the .htaccess file. Remember that the .htaccess file should be placed in the root folder of your website.

# Make PHP code look like asp or perl code
AddType application/x-httpd-php .asp .pl

if you place the the above code in the .htaccess file then you can use contact.asp as the name of the file. Now a visitor thought that it is a ASP file but this file contains the codes of PHP.

You can put the following code in .htaccess file to work .htm or .html file as PHP file.

# Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html

3M0-600 certification exams are very important for IT professional for getting more updated skills. 4H0-028, Hyperion Certified Professional – System 9 Planning 4.1 exams are very significant exams for becoming more professionals in the field of technology. 50-686, certification exams are very assistive to give full training to IT professionals. 640-802 is also known as CCNA, very significant exams for Cisco networking administrators. 640-863 certification exams provide very exact solutions of Cisco networking in the most effective manner. 3Com Certified IP Telephony NBX Expert Final Exam V3.0 is also known as 3M0-701 which provides authentic knowledge for operating IP telephony networks. 310-203, Sun Certified System Administrator for the Solaris 10 Operating System is designed to improve the professional talents of the individuals for operating system efficiently.

40 thoughts on “Hiding PHP file extension

  1. Ryan

    Thanks for sharing this technique. I kinda feel like a traitor for not standing up and defending PHP and open source constantly, but yes, there are some business people that still think traditional open source web sites (.php, perl, python), are somehow inferior to .aspx, .cfm and even .jsp sites. (I’m not talking here about [overtly] deceiving the client, or telling them they have a ASP.NET site when its a PHP site. However, if one of these (IMHO) “stuck up”, opinionated, and money wasting customers want to believe that a site is .aspx (when it’s really .php), then he has really deceived himself.

    Thanks for sharing this technique. I’ll try not to abuse it. :)

  2. nice trick, I heard about this a while ago…but I like your presentation (simple)

  3. Rob Desbois

    “If you don’t want to reveal the programming language ( server side script ) of your website to visitors of website so that any hacker or spammer will not be able to intrude or inject any code in your website.”

    Obscurity is *not* a security measure; just making it not immediately obvious what language you’re coding in server-side doesn’t prevent any sort of code injection. Code injection is prevented by cleaning user input before passing it to functions like eval() whch can execute arbitrary code.

    A nice technique worth sharing – but IMHO rather than making one extension behave like another it’s better to use mod_rewrite or an equivalent. Then you can have e.g. http://www.example.com/show_users map to file /show_users.php

  4. I think it looks a lot cleaner to come up with a nice mod rewrite system that completely removes file extensions and interprets the query string. looks a lot neater.

  5. Rob and Jasper i agree with you that with mod_rewrite you can do it in a better way and if your good in regular expression then that is the best way, but it’s a bit tedious for the beginners to write the regular expression in .htaccess.

  6. Aidan Samuel

    You may be hiding the extension, but you’re still sending out “X-Powered-By: PHP/4.4.6” in the headers.


  7. I had problems getting “AddType” to work on a netnation hosted site. Turns out using “AddHandler” did the trick: http://fishdujour.typepad.com/blog/2007/08/htaccess-settin.html

  8. Leslie Hoare

    A better way is to show no extension at all, you can do that with this line:

    Options +MultiViews

    That’ll make any file type (like .html, .jpg, etc) visible without a file extension too. And it’ll make it easier if you decide later on to switch scripting languages, say to Ruby or Java :)

  9. yes Leslie you can hide the extension with Options +MultiViews but you cannot the change its extension like .asp or .html with that.

  10. will

    in response to Aidan Samuel:
    you can change the X-Powered-By with a couple tweaks to your php.ini and apache configurations.

    the best use (in my opinion of hiding php), is to make a director where i will generate CSS or Javascript, and have an .htaccess with: “AddType application/x-httpd-php .css” in it. it can also be used to generate graphs or captchta images. i can then transparently generate javascript or css on-the-fly.

  11. Hello webmaster…Thanks for the nice read, keep up the interesting posts..what a nice Wednesday . Michelle Marsh

  12. beauty

    Hello webmaster Thanks. It is very infortant topic that u have given the following. it is a useful topic.

  13. I gather always different opinions about web 2.0 and how to market with the different mindset of the \”new\” Internet. Will social interaction and networking really make the web different? Thanks for your thoughts on this!

  14. Good observers will cherish this research respecting meanwhile many folks done remarked that the text is exceptional! I appreciate all the info you gave.

  15. Hi…Thanks for the nice read, keep up the interesting posts..what a nice Friday

  16. Thanks for sharing

  17. Reza

    How to hide the script of GET. like index.php?id=share

  18. well you can user POST or SESSION variable if you want to hide the GET variables and even you can use apache’s mod_rewrite module for rewriting the url.So there are lots of option according to your need

  19. Hi,

    I have written a script that basicly creates an image for use in forum signatures, which dynamically updates with stats from database every time it is called, the image works fine and everything, my problem is that the image has an extension of .php and some forums will only allow .jpg or .gif as a file extension in signatures, is there any way I can get apache and php to read just this one file as a php script if I change it to .jpg extension, I have tried the method above using .htaccess, it doesn’t seem to work.

  20. sahil

    i used your code but this is not working in my ssh server.could you tell me the best option so that i can see my php page like asp or pearl or html.

  21. Is .htaccess overriding is allowed in your server.I think .htaccess is not making effect please consult with your server administrator , I don’t think there is problem in the code

  22. Thanks….:)

  23. Please don’t do it this way 😛

    Under Apache 2 just enable:
    Options +MultiViews

    And then in your code use –

    On the server some_uri will evaluate to some_uri.html, some_uri.cgi, some_uri.pl, or some_uri.php — however this appraoch forces web designers to be much more accurate their web resource declarations and layouts because you can only have some_uri evaluate to 1 thing otherwise the server displays mutiple matches which can lead to a security leak … maybe enforcing good web design skills is a good thing long term.


  24. Vasim

    hello i have problem in setting htaccess file.
    my root folder is html2
    how can i set this i have home page index.php
    can i convert it to index.asp ?

  25. thanks! nice mod, nice presentation.

    we have a client that is migrating ecommerce systems – their current ecommerce system is heavily indexed in the search engines with landing pages containg the asp extension. the newly designed and developed site will have php extensions, so to keep those pages’ performance up, we’ll rewrite the php extension to asp.

  26. jarrett

    I’m goign to sound like an idiot, but is .htaccess the name of the file or the file extension?

  27. well it seems that you are not familiar with the file system of the linux and unix so you’re asking this question. .htaccess is the name of the file dude…

  28. paulrajj

    Thanks for sharing this nice information….

  29. reza

    this way is good, but I wan`t change my PHP files extension(about 100 files and link).
    how can I use this code without change file extension to Html


  30. Bob

    Please; don’t abuse AddType – which sets MIME types – to invoke handlers. This is wrong since 1997 and was a dirty hack those days. You want to invoke a handler, so AddHandler is the directive to use.

  31. DevesH

    Your Code is not working of url hide.
    Please Tell me right way to hide a url
    and also tell me that it works on localhost or not.


  32. phpvnn

    Thanks for sharing this nice information….

  33. Your Code is not working of url hide.
    Please Tell me right way to hide a url
    and also tell me that it works on localhost or not.

    Thanks tiffany

  34. Thank you for sharing the nice information . I have used your code to hide url.But your code is not working according to you.Please let me know other way to hide url.

  35. Sachin Gupta

    You Code is not working on my Linux Web Server.
    Please Tell Whats the matter.
    Please reply me..

  36. I can’t understand this. I have lots of .php file in one folder(root).
    I have one login.php & login.html.
    Now I make one file login.htaccess and put code( # Make PHP code look like asp or perl code
    AddType application/x-httpd-php .asp .pl) in it.
    Now when i open it will open login.html

Leave a Reply

Your email address will not be published. Required fields are marked *