How to Add HTTP Security Headers in WordPress

How to Add HTTP Security Headers in WordPress

Would you like to add HTTP security headers in WordPress?

HTTP security headers permit you to add an additional layer of security to your WordPress site. They can assist with blocking normal vindictive action from affecting your site execution.

In this present beginner’s aide, we’ll show you how to handily add HTTP security headers in WordPress.

What are HTTP Security Headers?

HTTP security headers are a security measure that permits your site’s worker to forestall some normal security dangers before it influences your site.

Essentially, when a user visits your site, your web worker sends an HTTP header reaction back to their program. This reaction informs programs regarding mistake codes, reserve control, and other statuses.

The typical header reaction gives a status called HTTP 200. After which your site loads in the user’s program. However, if your site is having difficulty then your web worker might send a different HTTP header.

For instance, it might send a 500 internal worker blunder, or a not discovered 404 mistake code.

HTTP security headers are a subset of these headers and are used to keep sites from normal dangers like click-jacking, cross-site scripting, savage power assaults, and that’s only the tip of the iceberg.

We should have a fast look at what HTTP security headers resemble and how they deal with ensure your site.

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) header tells internet browsers that your site uses HTTPs and ought not be stacked using insecure protocol like HTTP.

If you have moved your WordPress site from HTTP to HTTPs, then this security header permits you to stop programs from loading your site on HTTP.

X-XSS Protection

X-XSS Protection header permits you to hinder cross-webpage scripting from loading on your WordPress site.


X-Frame-Options security header forestalls cross-domain iframes or click-jacking.


X-Content-Type-Options blocks content emulate type sniffing.

That being said, we should investigate how to effortlessly add HTTP security headers in WordPress.

Adding HTTP Security Headers in WordPress

HTTP security headers work best when they are set at the web worker level (i.e your WordPress hosting account). This permits them to be set off from the beginning during a regular HTTP demand and gives the greatest advantage.

They work far better if you are using a DNS-level site application firewall like Sucuri or Cloudflare. We’ll show you every method, and you can pick one that turns out best for you.

1. Adding HTTP Security Headers in WordPress using Sucuri

Sucuri is the best WordPress security plugin available. If you are using their site firewall administration too, then you can set HTTP security headers without writing any code.

In the first place, you should pursue a Sucuri account. It is a paid assistance that accompanies a cut-off level site firewall, security plugin, CDN, and malware evacuation ensure.

During joining, you will respond to basic inquiries, and Sucuri documentation will assist you with setting up the site application firewall on your site.

In the wake of signing up, you need to install and actuate the free Sucuri plugin.

Upon actuation, go to Sucuri Security > Firewall (WAF) page and enter your Firewall API key. You can find this information under your record on the Sucuri site.

Click on the Save button to store your changes.

Then, you need to change to your Sucuri account dashboard. From here, click on the Settings menu on top and afterward change to the Security tab.

From here you can pick three tools of rules. The default security, HSTS, and HSTS Full. You will see which HTTP security headers will be applied for each set of rules.

Click on the ‘Save Changes in The Additional Headers’ button to apply your changes.

That is all, Sucuri will now add your chose HTTP security headers in WordPress. Since it is a DNS level WAF, your site traffic is shielded from programmers even before they arrive at your site.

2. Adding HTTP Security Headers in WordPress using Cloudflare

Cloudflare offers an essential free site firewall and CDN administration. It needs advanced security highlights in their free tool, so you should move up to their Pro tool which is more costly.

To add Cloudflare to your site, see our tutorial on how to add Cloudflare free CDN in WordPress.

When Cloudflare is dynamic on your site, go to the SSL/TLS page under your Cloudflare account dashboard and afterward change to the Edge Certificates tab.

Now, look down to the HTTP Strict Transport Security (HSTS) segment and click on the ‘Enable HSTS’ button.

This will bring up a popup with instructions telling you that you should have HTTPS enabled on your WordPress blog prior to using this component. Click on the Next button to continue, and you will see the options to add HTTP security headers.

Also see: How to Create a Short Link in WordPress

From here, you can enable HSTS, no-sniff header, apply HSTS to subdomains (if they are using HTTPS), and preload HSTS.

This method gives essential insurance using HTTP security headers. However, it doesn’t allow you to add X-Frame-Options and Cloudflare doesn’t have a user interface to do that.

You can in any case do that by creating content using the Workers highlight. However, creating HTTPS security header content might cause surprising issues for beginners which is the reason we wouldn’t suggest it.

3. Adding HTTP Security Headers in WordPress using .htaccess

This method permits you to set the HTTP security headers in WordPress at the worker level.

It expects you to edit the .htaccess file on your site. It is a worker setup file used by the most usually used Apache web server programming.

Essentially connect to your site using an FTP client, or the file manager app in your hosting control board. In the root folder of your site, you need to find the .htaccess file and edit it.

This will open the file in a plain content tool. At the bottom of the file, you can add the code to add HTTPS security headers to your WordPress site.

Read More: Best WordPress Accordion Plugins

You can use the following example code as a starting point, it sets the most generally used HTTPs security headers with ideal settings:

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade

Remember to save your progressions and visit your site to ensure that everything is working true to form.

4. Adding HTTP Security Headers in WordPress using Plugin

This method is somewhat less viable as it depends on a WordPress plugin to modify the headers. However, it is additionally the most effortless approach to add HTTP security headers to your WordPress site.

In the first place, you need to install and actuate the Redirection plugin. For additional subtleties, see our bit-by-bit guide on how to install a WordPress plugin.

Upon actuation, the plugin will show a setup wizard that you can simply track to set up the plugin. From that point onward, go to the Tools > Redirection page and change to the ‘Site’ tab.

Then, you need to look down to the bottom of the page to the HTTP Headers area and click on the ‘Add Header’ button. From the drop-down menu, you need to choose the ‘Add Security Presets‘ option.

From that point onward, you should click on it again to add those options. Now, you will see a preset rundown of HTTP security headers appear in the table.

Read More: How to Remove Author Name from WordPress Posts

These headers are improved for security, you can survey them and change them if required. Whenever you are done, remember to click on the Update button to save your changes.

You would now be able to visit your site to ensure that everything is working fine.

How to Check HTTP Security Headers for a Website

Now that, you have added HTTP Security headers to your site. You can test your setup using the free Security Headers tool. Basically, enter your site URL and click on the Scan button.

It will then check HTTP security headers for your site and will show you a report. The tool would produce an alleged grade mark which you can disregard as most sites would get a B or C score, best-case scenario, without affecting user experience.

It will show you which HTTP security headers are sent by your site and which security headers are not included. If the security headers that you needed to set are recorded there, then you are finished.

Leave a comment

Your email address will not be published.