How to Add HTTP Security Headers in WordPress

When it comes to designing a WordPress website, there is no such thing as being too safe. Every layer of safety is a further guarantee that your and your customers’ information will remain protected. But, unfortunately, some safety measures can hinder you in different ways. Ideally, you want to add extra safety features to your website without jeopardizing the user’s experience. And, as it turns out, that is precisely what HTTP security headers offer. So, let’s take a closer look at how to add HTTP security headers in WordPress.

Understanding HTTP security headers

The main use of HTTP security headers is as a warning. When a visitor comes to your website, they will receive an HTTP header response from your server. The response will tell their browser if there about any error codes, cache control, and various other aspects. If everything is ok, the header response will issue an HTTP 200 status. By receiving this, the user’s browser will have a green light to load your website. But, if there are any difficulties, the user will get a different header. Common examples are 500 internal server errors, or a 404 not found error.

404 written in blocks.
404 error is fairly common.

HTTP security headers are a type of header that your server can send. They serve to warn browsers about cross-site scripting, brute force attacks, click-jacking, and various other security threats. The most common types of HTTP security headers are:

  • HTTP Strict Transport Security (HSTS) – This header informs the user’s browser that your website uses HTTPS.
  • X-XSS Protection – This header blocks cross-site scripting.
  • X-Frame-Options – This header prevents click-jacking and cross-domain iframes.
  • X-Content-Type-Options – This header blocks mime-type sniffing.

As you can see, security headers can play an important role in how safe your website is. So, with that out of the way, let’s see a couple of ways in which you can incorporate HTTP security headers in your website.

Add HTTP security headers in WordPress

The best way to set the HTTP security headers is on a webserver level. By doing so, you will ensure that they get triggered at the start of an HTTP request, and therefore provide the maximum amount of safety. And, you won’t have to worry about doing so for different landing pages, since the headers are set on a server level. The other option is to go with a DSN-level website firewall. Setting up on this level so is usually considered easier, but it can be problematic when it comes to safety measures. Nevertheless, we will go over both methods and how to apply them.

Using a WordPress plugin

As it is with most cases regarding WordPress, using a plugin is the easiest way to change something. Luckily, HTTP security headers are no exception. The first thing to do is to install the Redirection plugin. Once you install and activate it, you will see a setup wizard. Simply follow its instruction to set it up. With that done, go to the Tools -> Redirection page, and switch to the “Site” tab. There you need to scroll down to the bottom and click on “Add Header”. In the dropdown menu that shows you can choose the “Add Security Presets” option. By doing so, you’ll be presented with a list of HTTP security headers. You can then review and change headers (if need be), and finally implement them on your website. Just remember to click the “Update” button once you are done.

Security tab in WordPress.
While you should add HTTP security headers in WordPress know that you’ll need other plugins to keep your website safe.

Using .htaccess

Let’s now step away from run-of-the-mill plugins, and let’s explore some methods that are a bit more complicated. The following method will allow you to set the HTTP security headers on a server level. Namely, what you are going to do is to alter the .htaccess file on your website. Apache webserver software most commonly uses this file for server configuration. To alter it, you can either use an FTP client, or head to the hosting control panel and use the file manager app. You will find the .htaccess file in the root folder of your website. Once you do, you right-click on it and select edit.

Doing so will open the text editor. In it, you need to scroll down to the bottom and add the code that will implement the HTTP security headers. There is some variety when it comes to which headers you would like to implement. Therefore, you ought to dig a bit deeper in order to figure out which headers are best suited for you. The following code is a good starting point as it contains the most commonly used headers:

<ifModule mod_headers.c>
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
Header set X-XSS-Protection “1; mode=block”
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade

Just remember to save your changes once you’ve copied the code.

A laptop connected to websites in various countries, showing the need to add HTTP security headers in WordPress.
Security measures at a server level are quite difficult to beat.

Using Cloudflare

When it comes to handling a website, Cloudfare is a pretty decent tool. By using it you will have a basic firewall, which is more than enough to protect you from bots and standard malware attacks. And you will have a CDN service. Unfortunately, it can be a bit lacking in its free version. So, if you end up liking it, you might need to opt for a premium one.

Another use of Cloudfare is that you can add HTTP security headers in WordPress. To do so, you’ll first need to install and activate it. Once you do, head to the SSL/TLS page under your account. Then you’ll need to switch to the Edge Certificates tab. Now you’ll need to scroll down and open the HSTS (HTTP Strict Transport Security) section. Now proceed to click on the Enable HSTS button. Here you’ll be asked to enable HTTPS on your WordPress blog. Once you do so, you will have access to HTTP security headers.