WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Beginners Guide» How to Add HTTP Security Headers in WordPress (Beginner’s Guide)

How to Add HTTP Security Headers in WordPress (Beginner’s Guide)

Last updated on March 30th, 2021 by Editorial Staff
306 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Add HTTP Security Headers in WordPress (Beginner’s Guide)

Do you want to add HTTP security headers in WordPress?

HTTP security headers allow you to add an extra layer of security to your WordPress website. They can help block common malicious activity from affecting your website performance.

In this beginner’s guide, we’ll show you how to easily add HTTP security headers in WordPress.

Adding HTTP security headers in WordPress

What are HTTP Security Headers?

HTTP security headers are a security measure that allows your website’s server to prevent some common security threats before it affects your website.

Basically, when a user visits your website, your web server sends an HTTP header response back to their browser. This response tells browsers about error codes, cache control, and other statuses.

The normal header response issues a status called HTTP 200. After which your website loads in the user’s browser. However, if your website is having difficulty then your web server may send a different HTTP header.

For example, it may send a 500 internal server error, or a not found 404 error code.

HTTP security headers are a subset of these headers and are used to prevent websites from common threats like click-jacking, cross-site scripting, brute force attacks, and more.

Let’s have a quick glance at what HTTP security headers look like and what they do to protect your website.

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) header tells web browsers that your website uses HTTPs and should not be loaded using insecure protocol like HTTP.

If you have moved your WordPress website from HTTP to HTTPs, then this security header allows you to stop browsers from loading your website on HTTP.

X-XSS Protection

X-XSS Protection header allows you to block cross-site scripting from loading on your WordPress website.

X-Frame-Options

X-Frame-Options security header prevents cross-domain iframes or click-jacking.

X-Content-Type-Options

X-Content-Type-Options blocks content mime-type sniffing.

That being said, let’s take a look at how to easily add HTTP security headers in WordPress.

Adding HTTP Security Headers in WordPress

HTTP security headers work best when they are set at the web server level (i.e your WordPress hosting account). This allows them to be triggered early on during a typical HTTP request and provides maximum benefit.

They work even better if you are using a DNS-level website application firewall like Sucuri or Cloudflare. We’ll show you each method, and you can choose one that works best for you.

Here are quick links to different methods, you can jump to the one that suits you.

  • Adding HTTP security headers using Sucuri
  • Adding HTTP security headers using Cloudflare
  • Adding HTTP security headers using .htaccess
  • Adding HTTP security headers using WordPress Plugin
  • Testing HTTP security headers

1. Adding HTTP Security Headers in WordPress using Sucuri

Sucuri is the best WordPress security plugin on the market. If you are using their website firewall service too, then you can set HTTP security headers without writing any code.

First, you will need to sign up for a Sucuri account. It is a paid service that comes with a sever level website firewall, security plugin, CDN, and malware removal guarantee.

During sign up, you will answer simple questions, and Sucuri documentation will help you set up the website application firewall on your website.

After signing up, you need to install and activate the free Sucuri plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, go to Sucuri Security » Firewall (WAF) page and enter your Firewall API key. You can find this information under your account on Sucuri website.

Sucuri WAF API key

Click on the Save button to store your changes.

Next, you need to switch to your Sucuri account dashboard. From here, click on the Settings menu on top and then switch to the Security tab.

Setting HTTP security headers in Sucuri

From here you can choose three sets of rules. The default protection, HSTS, and HSTS Full. You will see which HTTP security headers will be applied for each set of rules.

Click on the ‘Save Changes in The Additional Headers’ button to apply your changes.

That’s all, Sucuri will now add your selected HTTP security headers in WordPress. Since it is a DNS level WAF, your website traffic is protected from hackers even before they reach your website.

2. Adding HTTP Security Headers in WordPress using Cloudflare

Cloudflare offers a basic free website firewall and CDN service. It lacks advanced security features in their free plan, so you will need to upgrade to their Pro plan which are more expensive.

To add Cloudflare on your site, see our tutorial on how to add Cloudflare free CDN in WordPress.

Once Cloudflare is active on your website, go to the SSL/TLS page under your Cloudflare account dashboard and then switch to the Edge Certificates tab.

Setting up HTTPS security headers in Cloudflare

Now, scroll down to the HTTP Strict Transport Security (HSTS) section and click on the ‘Enable HSTS’ button.

Enable HSTS on Cloudflare

This will bring up a popup with instructions telling you that you must have HTTPS enabled on your WordPress blog before using this feature. Click on the Next button to continue, and you will see the options to add HTTP security headers.

Enable HTTPS security headers in Cloudflare

From here, you can enable HSTS, no-sniff header, apply HSTS to subdomains (if they are using HTTPS), and preload HSTS.

This method provides basic protection using HTTP security headers. However, it does not let you add X-Frame-Options and Cloudflare doesn’t have a user interface to do that.

You can still do that by creating a script using the Workers feature. However, creating an HTTPS security header script may cause unexpected issues for beginners which is why we wouldn’t recommend it.

3. Adding HTTP Security Headers in WordPress using .htaccess

This method allows you to set the HTTP security headers in WordPress at the server level.

It requires you to edit the .htaccess file on your website. It is a server configuration file used by the most commonly used Apache webserver software.

Simply connect to your website using an FTP client, or the file manager app in your hosting control panel. In the root folder of your website, you need to locate the .htaccess file and edit it.

Edit the .htaccess file in WordPress

This will open the file in a plain text editor. At the bottom of the file, you can add the code to add HTTPS security headers to your WordPress website.

You can use the following sample code as a starting point, it sets the most commonly used HTTPs security headers with optimal settings:

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule>

Don’t forget to save your changes and visit your website to make sure that everything is working as expected.

Note: Incorrect headers or conflicts in .htaccess file may trigger 500 Internal server error on most web hosts.

4. Adding HTTP Security Headers in WordPress using Plugin

This method is a little less effective as it relies on a WordPress plugin to modify the headers. However, it is also the easiest way to add HTTP security headers to your WordPress website.

First, you need to install and activate the Redirection plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, the plugin will show a set up wizard that you can just follow along to set up the plugin. After that, go to Tools » Redirection page and switch to the ‘Site’ tab.

Site settings in Redirection plugin

Next, you need to scroll down to the bottom of the page to the HTTP Headers section and click on the ‘Add Header’ button. From the drop-down menu, you need to select ‘Add Security Presets’ option.

Adding header presets using Redirection

After that, you will need to click on it again to add those options. Now, you will see a preset list of HTTP security headers appear in the table.

HTTP security header presets

These headers are optimized for security, you can review them and change them if needed. Once you are done, don’t forget to click on the Update button to save your changes.

You can now visit your website to make sure that everything is working fine.

How to Check HTTP Security Headers for a Website

Now that, you have added HTTP Security headers to your website. You can test your configuration using the free Security Headers tool. Simply enter your website URL and click on the Scan button.

Checking your WordPress security headers

It will then check HTTP security headers for your website and will show you a report. The tool would generate a so-called grade label which you can ignore as most websites would get a B or C score at best without affecting user experience.

It will show you which HTTP security headers are sent by your website and which security headers are not included. If the security headers that you wanted to set are listed there, then you are done.

That’s all, we hope this article helped you learn how to add HTTP security headers in WordPress. You may also want to see our complete WordPress security guide, and our expert pick of the best WordPress plugins for business websites.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

306 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • Checklist

    Checklist: 15 Things You MUST DO Before Changing WordPress Themes

  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

2 Comments

Leave a Reply
  1. Mark Downing says:
    Apr 5, 2021 at 6:29 am

    Thanks for the very helpful article. Our site went from an “F” to a “B” with no glitches after I pasted your code snippet into .htaccess.

    Reply
    • WPBeginner Support says:
      Apr 5, 2021 at 11:32 am

      Glad our recommendation was helpful :)

      Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
SeedProd Logo
SeedProd
Create beautiful custom landing pages - Drag & drop builder. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
Envira Gallery
Envira Gallery Coupon
Get 10% off Envira Gallery, the best responsive WordPress gallery plugin available in the market.
RafflePress - WordPress Giveaway and Contest Plugin
RafflePress Coupon
Get 20% off RafflePress, the best WordPress giveaway and contest plugin available in the market.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.