Do you want to add HTTP security headers in WordPress?
HTTP security headers allow you to add an extra layer of security to your WordPress website. They can help block common malicious activity from affecting your website performance.
In this beginner’s guide, we’ll show you how to easily add HTTP security headers in WordPress.
What are HTTP Security Headers?
HTTP security headers are a security measure that allows your website’s server to prevent some common security threats before it affects your website.
Basically, when a user visits your website, your web server sends an HTTP header response back to their browser. This response tells browsers about error codes, cache control, and other statuses.
The normal header response issues a status called HTTP 200. After which your website loads in the user’s browser. However, if your website is having difficulty then your web server may send a different HTTP header.
That being said, let’s take a look at how to easily add HTTP security headers in WordPress.
Adding HTTP Security Headers in WordPress
HTTP security headers work best when they are set at the web server level (i.e your WordPress hosting account). This allows them to be triggered early on during a typical HTTP request and provides maximum benefit.
They work even better if you are using a DNS-level website application firewall like Sucuri or Cloudflare. We’ll show you each method, and you can choose one that works best for you.
Here are quick links to different methods, you can jump to the one that suits you.
Once Cloudflare is active on your website, go to the SSL/TLS page under your Cloudflare account dashboard and then switch to the Edge Certificates tab.
Now, scroll down to the HTTP Strict Transport Security (HSTS) section and click on the ‘Enable HSTS’ button.
This will bring up a popup with instructions telling you that you must have HTTPS enabled on your WordPress blog before using this feature. Click on the Next button to continue, and you will see the options to add HTTP security headers.
From here, you can enable HSTS, no-sniff header, apply HSTS to subdomains (if they are using HTTPS), and preload HSTS.
This method provides basic protection using HTTP security headers. However, it does not let you add X-Frame-Options and Cloudflare doesn’t have a user interface to do that.
You can still do that by creating a script using the Workers feature. However, creating an HTTPS security header script may cause unexpected issues for beginners which is why we wouldn’t recommend it.
3. Adding HTTP Security Headers in WordPress using .htaccess
This method allows you to set the HTTP security headers in WordPress at the server level.
It requires you to edit the .htaccess file on your website. It is a server configuration file used by the most commonly used Apache webserver software.
Simply connect to your website using an FTP client, or the file manager app in your hosting control panel. In the root folder of your website, you need to locate the .htaccess file and edit it.
This will open the file in a plain text editor. At the bottom of the file, you can add the code to add HTTPS security headers to your WordPress website.
You can use the following sample code as a starting point, it sets the most commonly used HTTPs security headers with optimal settings:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
Don’t forget to save your changes and visit your website to make sure that everything is working as expected.
Upon activation, the plugin will show a set up wizard that you can just follow along to set up the plugin. After that, go to Tools » Redirection page and switch to the ‘Site’ tab.
Next, you need to scroll down to the bottom of the page to the HTTP Headers section and click on the ‘Add Header’ button. From the drop-down menu, you need to select ‘Add Security Presets’ option.
After that, you will need to click on it again to add those options. Now, you will see a preset list of HTTP security headers appear in the table.
These headers are optimized for security, you can review them and change them if needed. Once you are done, don’t forget to click on the Update button to save your changes.
You can now visit your website to make sure that everything is working fine.
How to Check HTTP Security Headers for a Website
Now that, you have added HTTP Security headers to your website. You can test your configuration using the free Security Headers tool. Simply enter your website URL and click on the Scan button.
It will then check HTTP security headers for your website and will show you a report. The tool would generate a so-called grade label which you can ignore as most websites would get a B or C score at best without affecting user experience.
It will show you which HTTP security headers are sent by your website and which security headers are not included. If the security headers that you wanted to set are listed there, then you are done.
At Marketing Solution Australia we strive to deliverer elegant responsive websites for your business integrated with our personal SEO Optimization package to bring your pages on the first page of Google.