How to Use the HTTP Headers WordPress Plugin for Better Security

The HTTP Headers WordPress plugin allows WordPress administrators to create and manage HTTP headers to improve security, privacy, and performance for visitors without needing to manually edit the .htaccess file. This is useful for:

• Mitigating the possibility of you making syntax mistakes within the .htaccess file which render the website inaccessible with an 500 error
• Environments where you’re unable to access raw server files via cPanel, FTP, or Secure Shell (SSH)
• Learning rarely discussed HTTP headers that can help improve user experience (UX)

In this article, we’ll discuss the most popular HTTP security headers available within the HTTP Headers WordPress plugin that can help you provide better security and privacy for visitors.

You can test your website security with third party security scanners, including Observatory.Mozilla.org and SecurityHeaders.com.

Below we’ll cover:

• Installing HTTP Headers in WordPress
• HTTP Strict Transport Security (HSTS)
• Referrer Policy
• X-Frame-Options
• Content Security Policy (CSP)
  • Enable CSP
  • CSP Report-Only
• Permissions Policy

Install HTTP Headers WordPress Plugin

1. Install and activate the HTTP Headers WordPress plugin using your WordPress dashboard or WP-CLI.
2. Log in to your WordPress dashboard.
3. On the left, hover over Settings and click HTTP Headers to get started.

HTTP Strict Transport Security (HSTS)

You can add HTTP Strict Transport Security (HSTS) in your .htaccess file to ensure your WordPress content encrypted when it reaches visitors. This forces web browsers that support HSTS to only load your website a using secure (HTTPS) connection.

You must have a valid paid, or free, SSL certificate installed on your website at all times when HSTS is enabled, or your website will become inaccessible.

1. On the left, hover over Settings and click HTTP Headers.
2. Click the Security button.
3. Beside Strict-Transport-Security, click Edit.
4. Select the On radio button.
5. Specify the following:
   max-age – How long the header should be active
   includeSubDomains – Whether to apply HSTS to subdomains
   preload – Authorizes preload listing (if eligible and desired)
6. Click Save Changes.
7. Click Security at the top to return to the security options.

Cloudflare content delivery network (CDN) users can save server resources by enabling HSTS in Cloudflare.

Referrer Policy

The referrer-policy header controls what information is sent through the referrer header with URI requests. This prevents URLs with sensitive information from showing up in web analytics software logs which can be intercepted for cyber attacks later. For example, clicking links on a password reset page could send user credentials within the referrer URL.

1. On the left, hover over Settings and click HTTP Headers.
2. Click the Security button.
3. Beside Referrer-Policy, select Edit.
4. Click the On button.
5. Choose a policy option from the drop-down:
   empty string – No preference
   no-referrer – No referrer info sent
   no-referrer-when-downgrade – Full URL sent unless leaving an HTTPS page for a HTTP page (Default behavior if no policy specified)
   same-origin – Only origin (root domain – e.g. example.com instead of example.com/privacy-policy) for within the same site
   origin – Only origin
   strict-origin – Origin only when protocol security level is the same (e.g. HTTPS to HTTPS)
   origin-when-cross-origin – Full URL for within the same site, but only origin for others
   strict-origin-when-cross-origin – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS to HTTPS), and no info from HTTPS to HTTP
   unsafe-url – Full URL (not recommended)
6. Save Changes.

Learn more about Referrer-Policy at Mozilla.org.

X-Frame-Options

X-Frame-Options specifies whether your WordPress website can be displayed within other websites via <frame>, <iframe>, <object>, or <embed> tags. Enabling this feature will create a Header set X-Frame-Options "[OPTION]" line within your .htaccess file for WordPress security against clickjacking.

1. In the WordPress dashboard, hover over Settings and click HTTP Headers.
2. Click the Security button.
3. Beside X-Frame-Options, click Edit.
4. Click On and specify an option from the drop-down menu:
   DENY – webpages cannot be displayed in a frame
   SAMEORIGIN – webpages can be framed in the same webpage
   ALLOW-FROM – webpages can be framed within the same URI; doesn’t work in newer browsers
5. Click Save Changes.
6. Click Security at the top to return to the security options. You’ll see your specified option on the X-Frame-Options line.

Mozilla recommends using the superseding Content Security Policy frame-ancestors attribute instead.

Content Security Policy (CSP)

The HTTP Headers WordPress plugin makes it easier to configure content-security-policy for WordPress hardening. The Header set Content-Security-Policy line forces web browsers to only load what’s specified within it. Think of CSP as a code firewall. No matter what code is in that webpage, the browser is only allowed to load what’s specified within your CSP header.

There are two steps to success with CSP: configure Content Security Policy and enable reporting for debugging and proper implementation.

Enable CSP

1. On the left, hover over Settings and click HTTP Headers.
2. Click the Security button.
3. Besides Content-Security-Policy, select Edit.
4. Click On and specify what can be loaded on your website from where.
5. Save Changes at the bottom.

Report-Only

The safest way to configure Content Security Policy is to enable Report-Only from the top of the screen. This shows elements on the website that wouldn’t be loaded if CSP was enabled and enforced. You can view this in your web browser.

1. Go to the Edit page for Content-Security-Policy.
2. Check “Report-Only” (for reporting-only purposes) from the top of the screen.
3. Check ‘self’ for any values you want to better secure.
4. Save Changes at the bottom.
5. View your website.
6. Open your web browser’s Inspect Element feature.
7. Check the Console tab to see what’s being flagged by CSP.
8. Make changes as needed.

Once all errors are removed, test your site by unchecking the Report-Only option.

Related Tools

CSP attributes and related tools:

• require-sri-for – Subresource Integrity (SRI) Manager WordPress plugin, Subresource Integrity general info
• block-all-mixed-content and upgrade-insecure-requests – Really Simple SSL WordPress plugin, Comparing Free or Paid SSL Certificates

Permissions-Policy

Permissions Policy, formally called Feature Policy, blocks unnecessary web browser features (e.g. video autoplay, camera, MIDI, and microphone) to enhance user privacy.

1. On the left, hover over Settings and click HTTP Headers.
2. Click the Security button.
3. Beside Permissions-Policy, select Edit.
4. Click On.
5. Check the box for each feature you’ll include in the policy, the access list, and external domains as needed:
   'none' – disabled
   'self' – allowed only from same domain
   * – allowed
   origin(s) allowed only from specified domains (separated by a comma)
6. Click Save Changes.

If you’d like to keep your WordPress site minimal, you can copy the HTTP headers in your .htaccess file outside of the plugin’s configured section. Then, you can remove the HTTP Headers WordPress plugin and keep the settings. However, you’d then need to manually edit the .htaccess file next time you need to make changes.

For further harden WordPress, install Block Bad Queries (BBQ) and another WordPress security suite such as Cerber Security or Wordfence. Then learn how to build a more secure WordPress website with these free cybersecurity tools.

Improve the performance and security of your WordPress website with our WordPress hosting plans.
Web Application Firewalls    Free SSL Certificates    Advanced Server Caching