HOW-TO GUIDES

How to Add HTTP Security Headers in WordPress

admin By admin 3 Min Read

There are a few ways to add HTTP security headers in WordPress. Here are two methods:

Contents
HTTP Strict Transport Security (HSTS)X-Frame-OptionsX-Content-Type-OptionsX-XSS-ProtectionReferrer-PolicyCache-ControlContent-Security-Policy

Method 1: Using a plugin

  1. Go to your WordPress dashboard and click on Plugins > Add New.
  2. Search for HTTP Headers and install the plugin by clicking on Install Now.
  3. Once the plugin is installed, activate it by clicking on Activate.
  4. Go to Settings > HTTP Headers.
  5. On the HTTP Headers settings page, you can configure the following security headers:
    • X-Frame-Options: This header prevents your website from being framed in other websites.
    • X-Content-Type-Options: This header prevents browsers from MIME-sniffing content types.
    • X-XSS-Protection: This header helps protect your website from cross-site scripting attacks.
    • Referrer-Policy: This header controls how your website shares referrer information with other websites.
    • Strict-Transport-Security: This header enforces secure connections to your website.
    • Cache-Control: This header controls how browsers cache your website’s content.
    • Content-Security-Policy: This header helps protect your website from content injection attacks.
  6. Once you have configured the security headers, click on Save Changes.

Method 2: Editing the .htaccess file

  1. Log in to your web hosting account and locate the .htaccess file.
  2. Open the .htaccess file in a text editor.
  3. Add the following code to the .htaccess file:

HTTP Strict Transport Security (HSTS)

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

X-Frame-Options

Header always set X-Frame-Options “DENY”

X-Content-Type-Options

Header always set X-Content-Type-Options “nosniff”

X-XSS-Protection

Header always set X-XSS-Protection “1; mode=block”

Referrer-Policy

Header always set Referrer-Policy “same-origin”

Cache-Control

Header always set Cache-Control “max-age=0, no-cache, no-store, must-revalidate” Header always set Pragma “no-cache” Header always set Expires “Sat, 26 Jul 1997 05:00:00 GMT”

Content-Security-Policy

Header always set Content-Security-Policy “default-src ‘self’ https: data:; img-src ‘self’ data:; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https:; style-src ‘self’ ‘unsafe-inline’ https:; font-src ‘self’ data:; connect-src ‘self’ https:;”

  1. Save the .htaccess file.

Note: If you are using a shared hosting provider, you may need to contact them to enable the .htaccess file for your website.

Once you have added the security headers to your WordPress website, you can use a security testing tool to verify that they are working correctly.

Share This Article
Previous Article How to Increase Pageviews and Reduce Bounce Rate in WordPress
Next Article How to Easily Find and Remove Stolen Content in WordPress
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular
Lost your password?