Best HTTP security headers for WordPress (with examples)

Posted on By Admin No Comments on Best HTTP security headers for WordPress (with examples)

Best HTTP Security Headers for WordPress (with Examples)

WordPress security headers are essential HTTP response headers that help protect your website from common web vulnerabilities. Adding the right security headers can prevent attacks like cross-site scripting (XSS), clickjacking, and data injection, improving your site’s overall security posture. This guide explains the best HTTP security headers for WordPress, why they matter, and how to implement them effectively.

Quick Fix: Add These Essential WordPress Security Headers

  1. Content-Security-Policy (CSP): Controls which resources the browser can load.
  2. Strict-Transport-Security (HSTS): Enforces HTTPS connections.
  3. X-Frame-Options: Prevents clickjacking by controlling iframe embedding.
  4. X-Content-Type-Options: Stops MIME type sniffing.
  5. Referrer-Policy: Controls how much referrer information is sent.
  6. Permissions-Policy: Restricts access to browser features.
  7. Expect-CT: Enforces Certificate Transparency to prevent misissued certificates.

Adding these headers to your WordPress site’s server configuration or via plugins will significantly improve your website’s security.

Why This Happens: The Need for WordPress Security Headers

By default, WordPress does not send many HTTP security headers. This leaves your site vulnerable to:

  • Cross-site scripting (XSS): Malicious scripts injected into your pages.
  • Clickjacking: Attackers embedding your site in iframes to trick users.
  • Man-in-the-middle attacks: Without HTTPS enforcement, data can be intercepted.
  • MIME sniffing: Browsers guessing content types, potentially executing malicious files.
  • Data leakage: Referrer headers exposing sensitive URLs.

Security headers instruct browsers on how to handle your site’s content safely, reducing these risks.

Step-by-Step: How to Implement WordPress Security Headers

Depending on your server environment, you can add security headers via your web server configuration or WordPress plugins. Below are examples for Apache, Nginx, and a PHP snippet for WordPress.

1. Apache (.htaccess) Configuration

# Content Security Policy
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';"

# HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# X-Frame-Options to prevent clickjacking
Header set X-Frame-Options "SAMEORIGIN"

# Prevent MIME sniffing
Header set X-Content-Type-Options "nosniff"

# Referrer Policy
Header set Referrer-Policy "no-referrer-when-downgrade"

# Permissions Policy (formerly Feature-Policy)
Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"

# Expect-CT for Certificate Transparency
Header set Expect-CT "max-age=86400, enforce"

2. Nginx Configuration

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-Content-Type-Options "nosniff" always;

add_header Referrer-Policy "no-referrer-when-downgrade" always;

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

add_header Expect-CT "max-age=86400, enforce" always;

3. WordPress PHP Snippet (functions.php or custom plugin)

function add_security_headers() {
    header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';");
    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
    header("X-Frame-Options: SAMEORIGIN");
    header("X-Content-Type-Options: nosniff");
    header("Referrer-Policy: no-referrer-when-downgrade");
    header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
    header("Expect-CT: max-age=86400, enforce");
}
add_action('send_headers', 'add_security_headers');

Note: Adjust the Content-Security-Policy directives to match your site’s resources and trusted domains.

Verification: How to Check Your WordPress Security Headers

After implementing the headers, verify they are active using these methods:

  • Browser Developer Tools: Open your site, press F12, go to the Network tab, reload, and inspect the response headers.
  • Online Tools: Use services like securityheaders.com or Mozilla Observatory.
  • Command Line: Run curl -I https://yourdomain.com and look for the security headers in the output.

Works On

Environment Notes
Apache Modify .htaccess or server config files.
Nginx Edit server block configuration files.
LiteSpeed Compatible with Apache directives in .htaccess.
cPanel / Plesk Use built-in editors for Apache/Nginx configs or add PHP snippets.
WordPress Plugins Plugins like “HTTP Headers” or

Speed & Security Tags:, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Also by the maker of MySurveyReviews.com