{"id":60973,"date":"2020-09-29T12:08:25","date_gmt":"2020-09-29T16:08:25","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/support\/?p=60973"},"modified":"2023-10-13T09:48:26","modified_gmt":"2023-10-13T13:48:26","slug":"http-headers-security","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/","title":{"rendered":"HTTP Headers WordPress Plugin for Better Security"},"content":{"rendered":"<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/wordpress-http-headers-1024x538.jpg\" alt=\"HTTP Headers - WordPress security plugin\" class=\"wp-image-94584\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/wordpress-http-headers-1024x538.jpg 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/wordpress-http-headers-300x158.jpg 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/wordpress-http-headers-768x403.jpg 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/wordpress-http-headers.jpg 1200w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<p>The HTTP Headers WordPress plugin allows <a href=\"https:\/\/www.inmotionhosting.com\/wordpress-hosting\">WordPress Hosting<\/a> administrators to create and manage HTTP headers to improve security, privacy, and performance for visitors without needing to manually edit the .htaccess file. This is useful for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mitigating the possibility of making syntax mistakes within the .htaccess file which render the website inaccessible with an <a href=\"https:\/\/www.inmotionhosting.com\/support\/website\/error-numbers\/500-internal-server-error\/\">500 error<\/a><\/li>\n\n\n\n<li>Environments where you\u2019re unable to access raw server files via cPanel, FTP, or Secure Shell (SSH)<\/li>\n\n\n\n<li>Learning rarely discussed methods to help improve user experience (UX)<\/li>\n<\/ul>\n\n\n\n<p>In this article, we\u2019ll discuss the most popular HTTP security headers available within the HTTP Headers WordPress plugin that can help you provide better security and privacy for visitors.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#install\">Install HTTP Headers WordPress Plugin<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"#hsts\">HTTP Strict Transport Security (HSTS)<\/a><\/li>\n\n\n\n<li><a href=\"#refer\">Referrer Policy<\/a><\/li>\n\n\n\n<li><a href=\"#xframe\">X-Frame-Options<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"#csp\">Content Security Policy (CSP)<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"#enable-csp\">Enable CSP<\/a><\/li>\n\n\n\n<li><a href=\"#report\">CSP Report-Only<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"#permissions\">Permissions Policy<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"#tips\">WordPress Security Tips<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install\">Install HTTP Headers WordPress Plugin<\/h2>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>Install and activate the <a rel=\"noreferrer noopener\" href=\"https:\/\/wordpress.org\/plugins\/http-headers\/\" target=\"_blank\">HTTP Headers WordPress plugin<\/a> using your WordPress dashboard or WP-CLI.<\/li>\n\n\n\n<li><a href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/logging-into-wordpress-dashboard\/\">Log into your WordPress dashboard<\/a>.<\/li>\n\n\n\n<li>On the left, hover over <strong>Settings<\/strong> and click <strong>HTTP Headers<\/strong> to get started.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hsts\">HTTP Strict Transport Security (HSTS)<\/h3>\n\n\n\n<p>You can add HTTP Strict Transport Security (HSTS) in your .htaccess file to ensure your WordPress content is encrypted when it reaches visitors. This forces web browsers that support HSTS to only load your website using a secure (HTTPS) connection.<\/p>\n\n\n\n<p class=\"alert alert-warning\">You must have a valid paid, or free, SSL certificate installed on your website at all times when HSTS is enabled, or your website will become inaccessible.<\/p>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>On the left, hover over <strong>Settings<\/strong> and click <strong>HTTP Headers<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>Security <\/strong>button.<\/li>\n\n\n\n<li>Beside <strong>Strict-Transport-Security<\/strong>, click <strong>Edit<\/strong>.<\/li>\n\n\n\n<li>Select the <strong>On<\/strong> radio button.<\/li>\n\n\n\n<li>Specify the following:<br>     <strong>max-age<\/strong> \u2013 How long the header should be active<br>     <strong>includeSubDomains<\/strong> \u2013 Whether to apply HSTS to subdomains<br>     <strong>preload<\/strong> \u2013 Authorize preload listing (if eligible and desired)<\/li>\n\n\n\n<li>Click <strong>Save Changes<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Security<\/strong> at the top to return to the security options.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"397\" data-id=\"48994\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-1024x397.png\" alt=\"Strict-Transport-Security Settings Screen\" class=\"wp-image-48994\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-1024x397.png 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-300x116.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-768x298.png 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts.png 1084w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"504\" data-id=\"48993\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-enabled-1024x504.png\" alt=\"Review Security Settings Screen\" class=\"wp-image-48993\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-enabled-1024x504.png 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-enabled-300x148.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-enabled-768x378.png 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/10\/http-headers-hsts-enabled.png 1513w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n<\/figure>\n\n\n\n<p class=\"alert alert-info\">Cloudflare content delivery network (CDN) users can save server resources by enabling HSTS in Cloudflare.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"refer\">Referrer Policy<\/h3>\n\n\n\n<p>The referrer-policy header controls what information is sent through the <code>referrer<\/code> header with URI requests. This prevents URLs with sensitive information from showing up in web analytics software logs which can be intercepted for cyber attacks later. For example, clicking links on a password reset page could send user credentials within the referrer URL.<\/p>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>On the left, hover over <strong>Settings<\/strong> and click <strong>HTTP Headers<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>Security <\/strong>button.<\/li>\n\n\n\n<li>Beside <strong>Referrer-Policy<\/strong>, select <strong>Edit<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>On<\/strong> button.<\/li>\n\n\n\n<li>Choose a policy option from the drop-down menu:<br>     <strong>empty string<\/strong> \u2013 No preference<br>     <strong>no-referrer<\/strong> \u2013 No referrer info sent<br>     <strong>no-referrer-when-downgrade<\/strong> \u2013 Full URL sent unless leaving an HTTPS page for a HTTP page (default behavior if no policy specified)<br>     <strong>same-origin<\/strong> \u2013 Only origin (root domain \u2013 e.g. example.com instead of example.com\/privacy-policy) for within the same site<br>     <strong>origin<\/strong> \u2013 Only origin<br>     <strong>strict-origin<\/strong> \u2013 Origin only when protocol security level is the same (e.g. HTTPS to HTTPS)<br>     <strong>origin-when-cross-origin<\/strong> \u2013 Full URL for within the same site, but only origin for others<br>     <strong>strict-origin-when-cross-origin<\/strong> \u2013 Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS to HTTPS), and no info from HTTPS to HTTP<br>     <strong>unsafe-url<\/strong> \u2013 Full URL (not recommended)<\/li>\n\n\n\n<li><strong>Save Changes<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"907\" height=\"472\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-referrer-policy.png\" alt=\"Referrer-Policy Settings Screen\" class=\"wp-image-50512\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-referrer-policy.png 907w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-referrer-policy-300x156.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-referrer-policy-768x400.png 768w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"xframe\">X-Frame-Options<\/h3>\n\n\n\n<p>X-Frame-Options specifies whether your WordPress website can be displayed within other websites with <code>&lt;frame&gt;<\/code>, <code>&lt;iframe&gt;, &lt;object&gt;<\/code>, or <code>&lt;embed&gt;<\/code> tags. Enabling this feature will create a <code>Header set X-Frame-Options \"[OPTION]\"<\/code> line within your .htaccess file for security against clickjacking.<\/p>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>In the WordPress dashboard, hover over <strong>Settings<\/strong> and click <strong>HTTP Headers<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>Security <\/strong>button.<\/li>\n\n\n\n<li>Beside <strong>X-Frame-Options<\/strong>, click <strong>Edit<\/strong>.<\/li>\n\n\n\n<li>Click <strong>On<\/strong> and specify an option from the drop-down menu:<br>     <strong>DENY<\/strong> \u2013 webpages cannot be displayed in a frame<br>     <strong>SAMEORIGIN<\/strong> \u2013 webpages can be framed <em>in the same webpage<\/em><br>     <strong>ALLOW-FROM<\/strong> \u2013 webpages can be framed <em>within the same URI<\/em>; doesn\u2019t work in newer browsers<\/li>\n\n\n\n<li>Click <strong>Save Changes<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Security<\/strong> at the top to return to the security options. You\u2019ll see your specified option on the <em>X-Frame-Options<\/em> line.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"366\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-x-frame-options.png\" alt=\"X-Frame-Options Settings Screen\" class=\"wp-image-53417\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-x-frame-options.png 834w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-x-frame-options-300x132.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-x-frame-options-768x337.png 768w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<p class=\"alert alert-warning\">Mozilla recommends using the superseding Content Security Policy <code>frame-ancestors<\/code> attribute instead of X-Frame-Options when possible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"csp\">Content Security Policy (CSP)<\/h2>\n\n\n\n<p>The HTTP Headers WordPress plugin makes it easier to configure <code>content-security-policy<\/code> for WordPress hardening. The <code>Header set Content-Security-Policy<\/code> line forces web browsers to only load what\u2019s specified within it. Think of CSP as a <em>code firewall<\/em>. No matter what code is in that webpage, the browser is only allowed to load what\u2019s specified within your CSP header.<br><br>There are two steps to success with CSP: configure Content Security Policy and enable reporting for debugging and proper implementation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-csp\">Enable CSP<\/h3>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>On the left, hover over <strong>Settings<\/strong> and click <strong>HTTP Headers<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>Security <\/strong>button.<\/li>\n\n\n\n<li>Beside <strong>Content-Security-Policy<\/strong>, select <strong>Edit<\/strong>.<\/li>\n\n\n\n<li>Click <strong>On<\/strong> and specify what can be loaded on your website from where.<\/li>\n\n\n\n<li><strong>Save Changes<\/strong> at the bottom.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"928\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-csp-report-only-self-1-1024x928.png\" alt=\"Content-Security-Policy Settings Screen\" class=\"wp-image-50218\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-csp-report-only-self-1-1024x928.png 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-csp-report-only-self-1-300x272.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-csp-report-only-self-1-768x696.png 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/11\/http-headers-csp-report-only-self-1.png 1108w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><figcaption class=\"wp-element-caption\">Example CSP settings with Report-Only for debugging.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"report\">CSP Report-Only<\/h3>\n\n\n\n<p>The safest way to configure Content Security Policy is to enable <strong>Report-Only<\/strong> from the top of the screen. This shows elements on the website that wouldn\u2019t be loaded if CSP was enabled <em>and enforced<\/em>. You can view this in your web browser.<\/p>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>Go to the <strong>Edit<\/strong> page for Content-Security-Policy.<\/li>\n\n\n\n<li>Check <strong>\u201cReport-Only\u201d (for reporting-only purposes)<\/strong> from the top of the screen.<\/li>\n\n\n\n<li>Check <strong>\u2018self\u2019<\/strong> for any values you want to better secure.<\/li>\n\n\n\n<li><strong>Save Changes<\/strong> at the bottom.<\/li>\n\n\n\n<li>View your website.<\/li>\n\n\n\n<li>Open your web browser\u2019s <strong>Inspect Element<\/strong> feature.<\/li>\n\n\n\n<li>Check the <strong>Console<\/strong> tab to see what\u2019s being flagged by CSP.<\/li>\n\n\n\n<li>Make changes as needed.<\/li>\n<\/ol>\n\n\n\n<p>Once all errors and warnings are removed, test your site by unchecking the <strong>Report-Only<\/strong> option.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"495\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-csp-inspect-element-1024x495.png\" alt=\"Chrome Console Error Messages\" class=\"wp-image-50220\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-csp-inspect-element-1024x495.png 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-csp-inspect-element-300x145.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-csp-inspect-element-768x371.png 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2019\/12\/http-headers-csp-inspect-element.png 1279w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<p>CSP attributes and related tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>require-sri-for<\/code> \u2013 <a aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/subresource-integrity-sri-wordpress\/\" target=\"_blank\">Subresource Integrity (SRI) Manager WordPress plugin<\/a><\/li>\n\n\n\n<li><code>block-all-mixed-content<\/code> and <code>upgrade-insecure-requests<\/code> \u2013 <a rel=\"noreferrer noopener\" href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/how-to-install-wp-really-simple-ssl-plugin\/\" target=\"_blank\">Really Simple SSL WordPress plugin<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"permissions\">Permissions-Policy<\/h2>\n\n\n\n<p>Permissions Policy, formally called <em>Feature Policy<\/em>, blocks unnecessary web browser features (e.g. video autoplay, camera, <abbr title=\"Musical Instrument Digital Interface\">MIDI<\/abbr>, and microphone) to enhance user privacy.<\/p>\n\n\n\n<ol class=\"article_list wp-block-list\">\n<li>On the left, hover over <strong>Settings<\/strong> and click <strong>HTTP Headers<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>Security <\/strong>button.<\/li>\n\n\n\n<li>Beside <strong>Permissions-Policy<\/strong>, select <strong>Edit<\/strong>.<\/li>\n\n\n\n<li>Click <strong>On<\/strong>.<\/li>\n\n\n\n<li>Check the box for each feature you\u2019ll include in the policy, the access list, and external domains as needed:<br>     <code>'none'<\/code> \u2013 disabled<br>     <code>'self'<\/code> \u2013 allowed only from same domain<br>     <code>*<\/code> \u2013 allowed<br>     <code>origin(s)<\/code> allowed only from specified domains (separated by a comma)<\/li>\n\n\n\n<li>Click <strong>Save Changes<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"780\" src=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-permissions-policy-1024x780.png\" alt=\"Permissions-Policy Settings Screen\" class=\"wp-image-60980\" srcset=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-permissions-policy-1024x780.png 1024w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-permissions-policy-300x228.png 300w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-permissions-policy-768x585.png 768w, https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-permissions-policy.png 1178w\" sizes=\"auto, (min-width: 1360px) 876px, (min-width: 960px) calc(61.58vw + 51px), calc(100vw - 80px)\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"tips\">WordPress Security Tips<\/h3>\n\n\n\n<p>You can test your website security with third party security scanners, including Observatory.Mozilla.org and SecurityHeaders.com.<\/p>\n\n\n\n<p>If you\u2019d like to keep your WordPress site minimal, you can copy the HTTP headers in your .htaccess file outside of the plugin\u2019s configuration section. Then, you can remove the HTTP Headers plugin and keep the settings. However, you\u2019d then need to manually edit the .htaccess file next time you need to make changes.<\/p>\n\n\n\n<p>To further harden WordPress, install Block Bad Queries (BBQ) and a WordPress security suite such as Cerber Security or Wordfence. Then learn how to build a more secure WordPress website with these <a href=\"https:\/\/www.inmotionhosting.com\/blog\/8-free-cybersecurity-tools-to-secure-your-server\/\">free cybersecurity tools<\/a>.<\/p>\n\n\n<div class=\"jumbotron\">\r\n<p>Improve the performance and security of your WordPress website with our <a href=\"https:\/\/www.inmotionhosting.com\/vps-hosting\/wordpress?mktgp=t&irgwc=1&affiliates=5001860&utm_campaign=Jumbotron&utm_source=supportcenter&utm_medium=cta&utm_term=wp-hosting-performance\">WordPress VPS Hosting<\/a> plans. Featuring blazing fast servers with advanced caching, 99.99% uptime, and a robust toolkit developed by WordPress experts.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/legacy\/images\/check.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>Improve Core Web Vitals    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/legacy\/images\/check.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>Free SSL &amp; Dedicated IP    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/legacy\/images\/check.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>Advanced Server Caching    <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/design.inmotionhosting.com\/assets\/legacy\/images\/check.svg\" alt=\"check mark\" width=\"24\" height=\"24\" \/>US &amp; EU Data Centers<\/p>\r\n<p><a class=\"btn btn-primary btn-lg\" href=\"https:\/\/www.inmotionhosting.com\/vps-hosting\/wordpress?mktgp=t&irgwc=1&affiliates=5001860&utm_campaign=Jumbotron&utm_source=supportcenter&utm_medium=cta&utm_term=wp-hosting-performance\">VPS for WordPress<\/a><\/p>\r\n<\/div>\n\n\n<p>Become a master of <a href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/\">WordPress plugins<\/a>! Protect, optimize, secure, and expand the functionality of your website easily with the help of WordPress plugins!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The HTTP Headers WordPress plugin allows WordPress Hosting administrators to create and manage HTTP headers to improve security, privacy, and performance for visitors without needing to manually edit the .htaccess file. This is useful for: In this article, we&#8217;ll discuss the most popular HTTP security headers available within the HTTP Headers WordPress plugin that can<a class=\"moretag\" href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\"> Read More ><\/a><\/p>\n","protected":false},"author":57014,"featured_media":61179,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4379],"tags":[],"class_list":["post-60973","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-plugins"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to Use the HTTP Headers WordPress Plugin for Better Security<\/title>\n<meta name=\"description\" content=\"Learn how to use the HTTP Headers WordPress plugin to improve website security and privacy without needing to manually edit your .htaccess file.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Use the HTTP Headers WordPress Plugin for Better Security\" \/>\n<meta property=\"og:description\" content=\"Learn how to use the HTTP Headers WordPress plugin to improve website security and privacy without needing to manually edit your .htaccess file.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\" \/>\n<meta property=\"og:site_name\" content=\"InMotion Hosting Support Center\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inmotionhosting\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-29T16:08:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-13T13:48:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"InMotion Hosting Contributor\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/InMotionHosting\" \/>\n<meta name=\"twitter:site\" content=\"@InMotionHosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"InMotion Hosting Contributor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\"},\"author\":{\"name\":\"InMotion Hosting Contributor\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\"},\"headline\":\"HTTP Headers WordPress Plugin for Better Security\",\"datePublished\":\"2020-09-29T16:08:25+00:00\",\"dateModified\":\"2023-10-13T13:48:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\"},\"wordCount\":1142,\"commentCount\":8,\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg\",\"articleSection\":[\"WordPress Plugins\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\",\"name\":\"How to Use the HTTP Headers WordPress Plugin for Better Security\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg\",\"datePublished\":\"2020-09-29T16:08:25+00:00\",\"dateModified\":\"2023-10-13T13:48:26+00:00\",\"description\":\"Learn how to use the HTTP Headers WordPress plugin to improve website security and privacy without needing to manually edit your .htaccess file.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg\",\"width\":1200,\"height\":630,\"caption\":\"HTTP Headers WordPress Plugin for Security\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.inmotionhosting.com\/support\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTTP Headers WordPress Plugin for Better Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"name\":\"InMotion Hosting Support Center\",\"description\":\"Web Hosting Support &amp; Tutorials\",\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\",\"name\":\"InMotion Hosting\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"width\":696,\"height\":696,\"caption\":\"InMotion Hosting\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/inmotionhosting\/\",\"https:\/\/x.com\/InMotionHosting\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\",\"name\":\"InMotion Hosting Contributor\",\"description\":\"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/inmotion-hosting\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting\"],\"url\":\"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Use the HTTP Headers WordPress Plugin for Better Security","description":"Learn how to use the HTTP Headers WordPress plugin to improve website security and privacy without needing to manually edit your .htaccess file.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/","og_locale":"en_US","og_type":"article","og_title":"How to Use the HTTP Headers WordPress Plugin for Better Security","og_description":"Learn how to use the HTTP Headers WordPress plugin to improve website security and privacy without needing to manually edit your .htaccess file.","og_url":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/","og_site_name":"InMotion Hosting Support Center","article_publisher":"https:\/\/www.facebook.com\/inmotionhosting\/","article_published_time":"2020-09-29T16:08:25+00:00","article_modified_time":"2023-10-13T13:48:26+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg","type":"image\/jpeg"}],"author":"InMotion Hosting Contributor","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/InMotionHosting","twitter_site":"@InMotionHosting","twitter_misc":{"Written by":"InMotion Hosting Contributor","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#article","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/"},"author":{"name":"InMotion Hosting Contributor","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644"},"headline":"HTTP Headers WordPress Plugin for Better Security","datePublished":"2020-09-29T16:08:25+00:00","dateModified":"2023-10-13T13:48:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/"},"wordCount":1142,"commentCount":8,"publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg","articleSection":["WordPress Plugins"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/","url":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/","name":"How to Use the HTTP Headers WordPress Plugin for Better Security","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg","datePublished":"2020-09-29T16:08:25+00:00","dateModified":"2023-10-13T13:48:26+00:00","description":"Learn how to use the HTTP Headers WordPress plugin to improve website security and privacy without needing to manually edit your .htaccess file.","breadcrumb":{"@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#primaryimage","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg","width":1200,"height":630,"caption":"HTTP Headers WordPress Plugin for Security"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/http-headers-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inmotionhosting.com\/support\/"},{"@type":"ListItem","position":2,"name":"HTTP Headers WordPress Plugin for Better Security"}]},{"@type":"WebSite","@id":"https:\/\/www.inmotionhosting.com\/support\/#website","url":"https:\/\/www.inmotionhosting.com\/support\/","name":"InMotion Hosting Support Center","description":"Web Hosting Support &amp; Tutorials","publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.inmotionhosting.com\/support\/#organization","name":"InMotion Hosting","url":"https:\/\/www.inmotionhosting.com\/support\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","width":696,"height":696,"caption":"InMotion Hosting"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inmotionhosting\/","https:\/\/x.com\/InMotionHosting"]},{"@type":"Person","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644","name":"InMotion Hosting Contributor","description":"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!","sameAs":["https:\/\/www.linkedin.com\/company\/inmotion-hosting\/","https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting"],"url":"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/"}]}},"jetpack_featured_media_url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2020\/09\/http-headers-wordpress-plugin.jpg","jetpack_sharing_enabled":true,"primary_category":{"id":4379,"name":"WordPress Plugins","slug":"plugins","link":"https:\/\/www.inmotionhosting.com\/support\/edu\/wordpress\/plugins\/"},"_links":{"self":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/60973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/users\/57014"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/comments?post=60973"}],"version-history":[{"count":21,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/60973\/revisions"}],"predecessor-version":[{"id":107155,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/60973\/revisions\/107155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/media\/61179"}],"wp:attachment":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/media?parent=60973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/categories?post=60973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/tags?post=60973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}