There are a few ways to add HTTP security headers in WordPress. Here are two methods:
Method 1: Using a plugin
- Go to your WordPress dashboard and click on Plugins > Add New.
- Search for HTTP Headers and install the plugin by clicking on Install Now.
- Once the plugin is installed, activate it by clicking on Activate.
- Go to Settings > HTTP Headers.
- On the HTTP Headers settings page, you can configure the following security headers:
- X-Frame-Options: This header prevents your website from being framed in other websites.
- X-Content-Type-Options: This header prevents browsers from MIME-sniffing content types.
- X-XSS-Protection: This header helps protect your website from cross-site scripting attacks.
- Referrer-Policy: This header controls how your website shares referrer information with other websites.
- Strict-Transport-Security: This header enforces secure connections to your website.
- Cache-Control: This header controls how browsers cache your website’s content.
- Content-Security-Policy: This header helps protect your website from content injection attacks.
- Once you have configured the security headers, click on Save Changes.
Method 2: Editing the .htaccess file
- Log in to your web hosting account and locate the .htaccess file.
- Open the .htaccess file in a text editor.
- Add the following code to the .htaccess file:
HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
Header always set X-Frame-Options “DENY”
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Referrer-Policy “same-origin”
Header always set Cache-Control “max-age=0, no-cache, no-store, must-revalidate” Header always set Pragma “no-cache” Header always set Expires “Sat, 26 Jul 1997 05:00:00 GMT”
Header always set Content-Security-Policy “default-src ‘self’ https: data:; img-src ‘self’ data:; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https:; style-src ‘self’ ‘unsafe-inline’ https:; font-src ‘self’ data:; connect-src ‘self’ https:;”
- Save the .htaccess file.
Note: If you are using a shared hosting provider, you may need to contact them to enable the .htaccess file for your website.
Once you have added the security headers to your WordPress website, you can use a security testing tool to verify that they are working correctly.