How to Add HTTP Security Headers in WordPress (2023 Guide)

If you want to harden the security of your WordPress website and protect it against common online threats, adding HTTP security headers is an important step. Security headers are a set of directives that tell web browsers how to behave when interacting with your website. They provide an additional layer of defense beyond basic security measures like SSL/HTTPS and can help prevent attacks like cross-site scripting, clickjacking, and more.

Navi.

In this comprehensive guide, we‘ll dive deep into HTTP security headers – what they are, why they matter for WordPress security, and multiple methods you can use to implement them on your own website. Whether you‘re a beginner or an experienced WordPress user, by the end of this article you‘ll have all the knowledge needed to boost your site‘s frontend security.

But first, let‘s cover some key background information:

What Are HTTP Security Headers?

HTTP headers are snippets of code that are sent by your web server in response to requests from browsers. They communicate important information about your website, like the content type, cache settings, and more.

HTTP security headers are a subset of response headers that specifically relate to website security. When a browser receives these headers, it adjusts its behavior to conform to the specified security policies. This helps protect your site against various types of attacks.

Some of the most important security headers include:

  • HTTP Strict Transport Security (HSTS) – Forces browsers to only interact with your site over a secure HTTPS connection, even if the user types in "http://" accidentally. Helps prevent man-in-the-middle attacks.

  • X-XSS-Protection – Instructs browsers to block detected cross-site scripting (XSS) attacks. An extra line of defense against a common website exploit.

  • X-Frame-Options – Prevents your site from being embedded in an iframe on another website, which defends against clickjacking attempts.

  • X-Content-Type-Options – Stops browsers from "sniffing" the MIME type of a file and forces them to adhere to the declared content type. Helps prevent attacks that rely on mismatched file types.

  • Referrer-Policy – Allows you to specify how much referrer information browsers should pass along when a user clicks a link to navigate away from your site.

When implemented properly, these headers make it much harder for attackers to carry out common exploit techniques. They provide an important boost to your WordPress security posture.

However, the process for actually adding these headers to your site can seem a bit daunting if you‘re not a technical user. Don‘t worry though – in the next section, we‘ll walk through how to set them up using several beginner-friendly methods.

How to Implement Security Headers on Your WordPress Website

Now that you understand what security headers are and why they matter, let‘s get into the practical steps of adding them to your WordPress site. We‘ll cover four different methods you can use:

Method 1: Using a WordPress Security Plugin

The easiest way to add HTTP security headers for most WordPress users is by installing a security plugin. These tools handle the technical details for you and allow you to toggle headers on or off from a user-friendly interface.

Two of the best WordPress security plugins that support HTTP headers are:

  • Sucuri Security – This all-in-one security plugin/service includes a website firewall, malware scanner, security hardening options, and more. The "Hardening" tab allows you to easily activate security headers.

  • iThemes Security – Another popular WordPress security suite that lets you enable security headers under the "Advanced" section of the plugin settings.

We‘ll walk through the setup process for each one.

Sucuri Security Plugin

Install the free Sucuri plugin from the official WordPress.org repository or by searching for "Sucuri" under Plugins > Add New in your WordPress dashboard. Activate the plugin once it‘s installed.

Install Sucuri Security Plugin

In your WordPress dashboard, navigate to the Sucuri menu item. Click the "Hardening" tab at the top of the page:

Sucuri Hardening Options

Scroll down to the "HTTP Headers" section. Here you‘ll see toggles to enable or disable several key security headers:

Sucuri HTTP Security Headers

The recommended settings are:

  • X-XSS-Protection – Set to "1; mode=block" to block detected XSS attacks
  • X-Frame-Options – Set to "SAMEORIGIN" to allow your site to be iframed only by pages on the same domain
  • X-Content-Type-Options – Set to "nosniff" to prevent MIME type sniffing
  • Strict Transport Security – Set max-age to a high value like "31536000" (1 year) to force HTTPS for a long time
  • Referrer-Policy – Set to "strict-origin-when-cross-origin" to cut down on information leakage to other sites

After selecting your desired settings, click the "Harden" button at the bottom to apply the headers. That‘s it! Your security headers are now live.

iThemes Security Plugin

If you prefer to use iThemes Security, the setup process is similar. Install and activate the plugin, then head to Security > Settings in your WordPress dashboard.

Scroll down to the "Advanced" tab and look for the "HTTP Security Headers" section:

iThemes HTTP Security Headers

Here you can enable the following headers with a single click:

  • X-Frame-Options: SAMEORIGIN
  • X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • Referrer-Policy: no-referrer-when-downgrade

The plugin provides a helpful on/off toggle for each header if you want to customize the settings. For most sites, the default recommended options are a good starting point.

Don‘t forget to save your changes after enabling the desired headers. iThemes Security will instantly apply them across your entire WordPress site.

Method 2: Setting Security Headers in Cloudflare

If you use the Cloudflare CDN/WAF service to proxy and secure your WordPress site, you can easily add security headers through your Cloudflare dashboard without a plugin.

After logging into Cloudflare, select your WordPress site and click the "SSL/TLS" app in the main navigation. Open the "Edge Certificates" tab:

Cloudflare Edge Certificates

Here you‘ll see options to configure several important security headers under the "HTTP Strict Transport Security (HSTS)" and "Minimum TLS Version" sections.

The key settings to enable are:

  • HTTP Strict Transport Security (HSTS) – Forces HTTPS connections and prevents visitors from bypassing invalid certificate warnings
  • Minimum TLS Version – Forces modern, secure TLS 1.2 or higher encryption between Cloudflare and the visitor‘s browser
  • Automatic HTTPS Rewrites – Redirects all HTTP requests to the HTTPS versions of your pages

Cloudflare also allows you to enable other security headers by adding custom "Edge Snippets" written in the Cloudflare Workers syntax. For example, to add a strict X-Frame-Options header, you could create a snippet like this:

addEventListener(‘fetch‘, event => {
  event.respondWith(addHeader(event.request))
})

async function addHeader(request) {
  let response = await fetch(request)
  response.headers.set("X-Frame-Options", "DENY")
  return response
}

Adding snippets requires a bit more technical know-how, but Cloudflare provides documentation to help you get started. Check out their Edge Snippets guide to learn more.

Method 3: Manually Editing .htaccess

For WordPress sites running on Apache web servers, you can edit the .htaccess configuration file to add security headers at the server level. This method requires you to be comfortable working with code and accessing your site‘s file system over SFTP/SSH.

Warning – A misconfigured .htaccess file can take down your entire WordPress site. Be sure to download a backup copy of your existing .htaccess before making changes, so you can revert if needed.

In your WordPress site‘s root directory, create a new file named ".htaccess" (without quotes) if it doesn‘t already exist. Add the following code block to the top of the file:

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Content-Type-Options nosniff
  Header always set X-Frame-Options SAMEORIGIN
  Header always set Referrer-Policy strict-origin-when-cross-origin
</IfModule>

This snippet uses Apache‘s mod_headers directive to set several recommended security headers:

  • Strict-Transport-Security with a max-age of 1 year, plus includeSubDomains to cover all subdomains
  • X-XSS-Protection to block detected XSS attacks
  • X-Content-Type-Options to prevent MIME type sniffing
  • X-Frame-Options to allow framing only from the same origin
  • Referrer-Policy to limit referrer data leakage

After saving your changes to .htaccess, test your WordPress site thoroughly to make sure nothing broke. If you encounter issues, here are some troubleshooting tips:

  • Check your Apache error logs for clues about what caused the problem
  • Make sure you copy/pasted the header directives exactly, without any typos
  • Try enabling one header at a time to isolate the issue
  • Replace "always" with "set" for individual headers (e.g. "Header set X-Frame-Options…")
  • Verify that your server has the mod_headers Apache module enabled

If you‘re unable to get the headers working properly, don‘t force it. Remove the code from .htaccess and try one of the other methods instead.

Method 4: HTTP Headers Plugin

The HTTP Headers plugin by Alberto Varela is a simple, lightweight option for adding security headers and other custom HTTP headers to WordPress.

To use it, install and activate the plugin, then navigate to Settings > HTTP Headers in your WordPress dashboard. Click the "Add custom header" button to configure a new header:

HTTP Headers Plugin

In the "Header" field, enter the name of the security header you want to set, like X-Frame-Options or X-XSS-Protection. The "Value" field is where you specify the header‘s value, like DENY or 1; mode=block.

Repeat this process for each header you want to add:

HTTP Headers Plugin

When you‘re finished, click "Save Changes" to apply the new headers to your WordPress site. You can verify they‘re working using the developer tools in Chrome or Firefox, or an online header checker tool.

The plugin also supports conditional logic for setting headers based on specific URLs, post types, taxonomies, and more. This allows you to fine-tune your headers for different parts of your site, which is handy for advanced use cases.

How to Test Your WordPress Security Headers

After enabling security headers using one of the above methods, it‘s a good idea to test that they‘re actually working as intended. You can check your WordPress site‘s headers using a free web-based tool like:

Each of these tools will scan your site and show you which security headers are present, along with a grade rating based on how well-configured they are. They can alert you to misconfigurations or headers that may be missing.

For example, here‘s what part of an Observatory report looks like:

Observatory Header Check Example

However, don‘t get too fixated on achieving a perfect grade. Many of these tools use very strict criteria and will ding you for things that may not be practical for your use case.

The goal is to make sure you have the core security headers enabled – HSTS, XSS protection, X-Frame-Options, etc. – with recommended values. As long as those basics are in place, your WordPress site‘s security posture will be in pretty good shape.

Other Ways to Boost Your WordPress Security

HTTP security headers are just one piece of the WordPress security puzzle. They help lock down your site against certain types of attacks, but there are other important steps you should take to keep your site safe:

  • Use strong passwords and enable two-factor authentication (2FA) for all user accounts
  • Keep your WordPress core, themes, and plugins updated to patch known vulnerabilities
  • Install a WordPress security plugin that offers additional login security, malware scanning, firewalls, and more
  • Harden your wp-config.php file and deny public access to sensitive files/directories
  • Disable XML-RPC and restrict REST API access if you‘re not using those features
  • Limit login attempts to prevent brute force attacks
  • Add HTTP authentication to your WordPress admin area for an extra layer of protection
  • Regularly back up your WordPress site so you can quickly recover from attacks or data loss

By combining HTTP headers with these other hardening measures, you can greatly reduce the risk of your WordPress site falling victim to hackers.

Final Thoughts

Securing your WordPress site is an ongoing process, but adding HTTP security headers is one of the most impactful steps you can take to prevent common vulnerabilities. They cost nothing to implement and can make it significantly harder for attackers to compromise your site using methods like XSS, clickjacking, and code injection.

In this post, we‘ve covered the most important security headers to enable and four different ways to add them to WordPress. Whether you choose a plugin, your web server config, or your CDN dashboard, pick a method that aligns with your technical comfort level.

Remember, though – headers alone aren‘t a complete WordPress security solution. Continue to follow security best practices like updates, backups, access controls, and activity monitoring to keep your site locked down.

Have any other questions about WordPress security headers? Leave a comment below!

Did you like this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

How to Easily Embed Iframe Code in WordPress (3 Methods)
The Ultimate Guide to Custom Backgrounds in WordPress
The Beginner‘s Guide to Perfectly Centered Videos in WordPress
What is WordPress Trash? The Complete Beginner‘s Guide (2024)
The Complete Guide to Changing MX Records for Your WordPress Site (2024)
How to Easily Change Fonts in WordPress: The Ultimate Guide (2023)
How We Increased Email Subscribers by 600% with OptinMonster (Step-by-Step Case Study)
14-Step Technical WordPress SEO Framework (Proven Checklist)