Do you want to add HTTP security headers in WordPress?
HTTP security headers allow you to add an extra layer of security to your WordPress website. They can help prevent common malicious activity from affecting your website’s performance.
In this beginner’s guide, we are going to show you how to easily add HTTP security headers in WordPress.
What are HTTP Security Headers?
HTTP security headers are a security measure that your website’s server can use to prevent some common security threats from affecting your website.
Basically, when a user visits your website, your web server sends an HTTP header response back to their browser. This response informs browsers about error codes, cache control and other statuses.
The normal header response returns a status called HTTP 200. After that, your website will be loaded in the user’s browser. However, if your website is having problems, your web server may be sending a different HTTP header.
For example, an internal server error of 500 or a 404 not found error code can be sent.
HTTP security headers are a subset of these headers and are used to protect websites from common threats such as click jacking, cross-site scripting, brute force attacks, and more.
Let’s take a quick look at what HTTP security headers look like and how they protect your website.
HTTP Strict Transport Security (HSTS)
The HTTP Strict Transport Security (HSTS) header tells web browsers that your website is using HTTPs and should not be loaded using an insecure protocol like HTTP.
If you’ve moved your WordPress website from HTTP to HTTPs, you can use this security header to prevent browsers from loading your website on HTTP.
You can use the X-XSS Protection header to prevent cross-site scripting from loading onto your WordPress website.
The security header for X-frame options prevents cross-domain iframes or click-jacking.
X-Content-Type-Options blocks sniffing of the Mime type.
Let’s take a look at how to easily add HTTP security headers in WordPress.
Adding HTTP Security Headers in WordPress
HTTP security headers work best when set at the web server level (i.e. on your WordPress hosting account). This allows them to be triggered early during a typical HTTP request and offers maximum benefit.
They work even better if you use a DNS level website application firewall like Sucuri or Cloudflare. We’ll show you each method and you can choose the one that works best for you.
Here are quick links to various methods. You can jump to the method that suits you.
1. Adding HTTP Security Headers in WordPress with Sucuri
Sucuri is the best WordPress security plugin out there. If you are also using the website firewall service, you can set HTTP security headers without writing any code.
First of all, you need to sign up for a Sucuri account. It’s a paid service that comes with a multilevel website firewall, security plugin, CDN, and malware removal guarantee.
You will answer simple questions as you sign up, and Sucuri documentation will help you set up the website application firewall on your website.
After logging in, you need to install and activate the free Sucuri plugin. For more information, see our step-by-step guide to installing a WordPress plugin.
After activation, go to Sucuri Security »Firewall (WAF) Page and enter your Firewall API Key. You can find this information under your account on the Sucuri website.
Click the Save button to save your changes.
Next, you’ll need to go to your Sucuri account dashboard. Click the Settings menu at the top, then switch to the Security tab.
From here you can choose three sets of rules. The standard protection, HSTS and HSTS Full. You can see which HTTP security headers are applied for each rule set.
Click the “Save changes in the additional headers” button to apply your changes.
That’s all, Sucuri will now add your chosen HTTP security headers in WordPress. Because it’s a DNS-level WAF, your website traffic is protected from hackers before they even reach your website.
2. Adding HTTP security headers in WordPress using Cloudflare
Cloudflare offers a basic free website firewall and CDN service. The free plan doesn’t come with any advanced security features, so you’ll need to upgrade to the more expensive Pro plan.
For information on adding Cloudflare to your website, check out our tutorial on Adding Cloudflare Free CDN in WordPress.
Once Cloudflare is active on your website, go to the SSL / TLS page under your Cloudflare account dashboard and go to the Edge Certificates tab.
Now scroll down to the HTTP Strict Transport Security (HSTS) section and click on the ‘Enable HSTS’ button.
A popup will then appear with instructions informing you that HTTPS must be enabled on your WordPress blog before you can use this feature. Click the Next button to continue. The options for adding HTTP security headers are displayed.
From here you can enable HSTS (no-sniff header), apply HSTS to subdomains (if they use HTTPS), and preload HSTS.
This method provides basic protection using HTTP security headers. However, you can’t add X-frame options, and Cloudflare doesn’t have a user interface to do so.
You can still do this by creating a script with the Worker function. However, creating an HTTPS security header script can cause unexpected problems for beginners, which is why we would not recommend it.
3. Adding HTTP security headers in WordPress with .htaccess
This method allows you to set the HTTP security headers in WordPress at the server level.
You need to edit the .htaccess file on your website. It is a server configuration file used by the most popular Apache web server software.
Simply connect to your website using an FTP client or the file manager app in your hosting control panel. In the root folder of your website you need to find and edit the .htaccess file.
This will open the file in a plain text editor. At the end of the file, you can add the code to add HTTPS security headers to your WordPress website.
You can use the following sample code as a starting point. It defines the most commonly used HTTP security headers with optimal settings:
Header-Set Strict-Transport-Security “max-age = 31536000” env = HTTPS Header-Set X-XSS-Protection “1; mode = block” Header-Set X-Content-Type-Options nosniff Header-Set X-Frame -Options DENY Header set Referrer-Policy: no-referrer-when-downgrade
Don’t forget to save your changes and visit your website to make sure everything works as expected.
Note: Incorrect headers or conflicts in the .htaccess file can trigger 500 internal server errors on most web hosts.
4. Adding HTTP security headers in WordPress using the plugin
This method is a little less effective as it relies on a WordPress plugin for changing the headers. However, it’s also the easiest way to add HTTP security headers to your WordPress website.
First you have to install and activate the redirection plugin. For more information, see our step-by-step guide to installing a WordPress plugin.
After activation, the plugin displays a setup wizard that you can simply follow to set up the plugin. After that, go to Tools »Redirection Page and switch to the ‘Site’ tab.
Next, you need to scroll to the bottom of the page to the HTTP Headers section and hit the ‘Add Headers’ button. From the drop-down menu, you need to select the “Add Security Presets” option.
After that, you need to click on it again to add these options. A preset list of HTTP security headers is now displayed in the table.
These headers are optimized for security reasons. You can review them and change them if necessary. When you’re done, don’t forget to click the Update button to save your changes.
You can now visit your website to make sure everything is working fine.
How to check HTTP security headers for a website
You have now added HTTP security headers to your website. You can test your configuration with the free security header tool. Just enter your website url and hit the scan button.
It then checks the HTTP security headers for your website and displays a report. The tool would generate what is called a grade label that you can ignore as most websites would get a B or C rating at best without sacrificing the user experience.
It shows you which HTTP security headers are being sent from your website and which security headers are not included. If it lists the security headers you want to set, you’re done.
We hope this article has helped you learn how to add HTTP security headers in WordPress. You might also want to check out our full WordPress Security Guide and our expert pick of the best WordPress plugins for corporate websites.
If you enjoyed this article, please subscribe to our YouTube channel for WordPress video tutorials. You can also find us on Twitter and Facebook.