How to Add HTTP Security Headers in WordPress?


Looking for a way to add HTTP security headers in WordPress?  

Compromisation is neglected whenever it comes in the matter of security. As we all know WordPress is the most famous platform to create websites. However, it is the targeted system for hackers. There should not be any negligence in terms of security if you have your own WordPress site. 

Additionally, a website runs successfully if the owner ensures its security. Luckily we have several methods to make security tight and protect from hackers. Among them, the addition of HTTP security headers is one of them. It protects the site by doubling the security layers. 

Moreover, we have mentioned detailed information about the HTTP security headers and steps to add them to WordPress.

What are HTTP Security Headers?

Generally, HTTP is a security system that protects the website before it is affected by common security threats. So, anytime a user visits your website, the webserver of your site sends an HTTP response header to their browser. This response guides the web browser on how to interact with the site. 

The header consists of metadata such as cache control, status error codes. the issue of HTTP 200 status will appear if everything is under control. This enables the web browser to load the website. But, if some difficulty occurs, the user will get a different header. 

For instance, 500 internal server errors, or a 404 not found error are some of the common examples. HTTP headers are types of headers for no doubt. They protect the site from threats like click-jacking, cross-site scripting, etc. 

Furthermore, let’s go through the types of security headers: 

  • HTTP Strict Transport Security (HSTS): It is a header that notifies a web browser that it uses HTTPS and is not allowed to load using an insecure protocol like HTTP. This header is useful in case you have moved from HTTP to HTTPS.
  • X-XSS Protection: It does not permit cross-site scripting in WordPress.
  • X-Frame-Options: It prevents clicking-jacking or cross-domain iframes.
  • X-Content-Type-Options: Type of header that does not enable content mime-type sniffing. 

What are the Ways to Add HTTP Security Headers in WordPress?

You need to set the HTTP  security header at the webserver level (WordPress hosting account) for an effective workout. This helps you to ensure that they are triggered at the beginning of the HTTP request. In addition to this, you don’t need to do so for all the landing pages. 

Additionally, you can set the header in a DSN-level website firewall like Sucuri, etc. It is easy to set as well. Nevertheless, we will discuss each step in a detailed format without having a problem. 

Here are the different ways to add HTTP security header in WordPress: 

  • Addition of HTTP security header using Cloudflare.
  • Addition of HTTP security header using .htaccess
  • Addition of HTTP security header using a plugin

1. Addition of HTTP Security Header Using Cloudflare

Cloudflare is used to handle websites in a good manner. It provides a basic firewall that prevents your site from bots and standard malware attacks. Also, it provides a CDN service. Initially, you can sign in to the free plan, but later on, you need to update into the premium plan for advanced security for your site. 

Start by installing and activating Cloudflare. You need to sign in to allow Cloudflare to perform the function. It is up to you whether you want to start with a premium plan or a free plan.

Add HTTP security header in WordPress.

After finishing the setting head to the SSL/TLS page under your Cloudflare account. Switch to the “Edge Certificates“.

Add HTTP security header in WordPress.

Scroll down to the HTTP Strict Transport Security (HSTS) section and enable it by clicking the “Enable HSTS” button.

Add HTTP security header in WordPress.

A popup will appear instructing that you must enable HTTP on your WordPress blog before the use of this feature. Simply, click on the Next button where you will find an option to add HTTP security headers.   

Add HTTP security header in WordPress.

Finally, through this, you can enable HSTS, no-sniff header. It guards with basic protection using an HTTP security header. However, it does not allow you to add X-Frame. 

This method might cause unexpected problems so we would not recommend you to work with it. 

2. Addition of HTTP Security Header Using .htaccess

It is the method that allows setting the HTTP security header at the server level. You need to edit the .htaccess file on your website, this step can’t be skipped. Generally, the Apache webserver software uses .htaccess as a server configuration file. 

First of all, you need to connect the website using an FTP client. After that, you need to locate and edit .htaccess at the root folder of the website.

Add HTTP security header in WordPress.

Furthermore, this will ultimately lead to a file with a plain text editor. You need to add the code at the bottom of the file. While adding code all you need to do is copy and paste the code mentioned below:

1234567<ifModule mod_headers.c>Header set Strict-Transport-Security “max-age=31536000” env=HTTPSHeader set X-XSS-Protection “1; mode=block”Header set X-Content-Type-Options nosniffHeader set X-Frame-Options DENYHeader set Referrer-Policy: no-referrer-when-downgrade</ifModule> 

Save the changes and you have successfully added an HTTP security header on your site. Moreover, you can access your site to check the work performed by .htaccess. 

Note: Incorrect heading can trigger 500 Internal server errors on most web hosts. 

3. Addition of HTTP Security Header Using a Plugin

Adding an HTTP security header is surely the easiest and quickest method. It is a less effective method. Thus, we can not totally depend on it. Follow the steps mentioned below properly for better performance. 

  • You need to set up a wizard in order to set the plugin.
  • Navigate to Tools >> Redirection and switch to the “Site” tab. 
  • Click on the “Add Header” button by scrolling down to the bottom of the page.
  • Additionally, select the “Add Security Presets” option with the help of the drop-down menu. You need to click on the options again to add. Therefore, you will see a present list of HTTP security headers in the table. 
  • The headers are already optimized for security. Check the header and you can change it if needed. Don’t forget to click on the update button and save the changes.
  • Visit your site to check the work of the plugin.

Wrapping up

We hope this tutorial was beneficial for you. Here, we have mentioned 3 different and simple ways to tackle your problem. You can follow the way that best suits your requirement. Also, visit our article “How to Properly Move WordPress from HTTP to HTTPS?” for more information about WordPress.


Please enter your comment!
Please enter your name here