🔒 WordPress Security Headers – A Simple Guide to Making Your Website Safer

Security headers are an essential layer of defence against attacks like **cross-site scripting (XSS), clickjacking, and code injection**. In this guide, we’ll cover how to implement important security headers on your WordPress website.

📌 What Are Security Headers?

Security headers instruct browsers on how to handle your website’s content securely. They protect against common cyber threats by enforcing security policies.

📌 How to Implement Security Headers in WordPress

You can add security headers using:

Editing the .htaccess file (for Apache servers)
Modifying the nginx.conf file (for NGINX servers)
Using a WordPress security plugin
Adding custom PHP functions in functions.php

📌 Important Security Headers

1️⃣ Content Security Policy (CSP)

Prevents the execution of malicious scripts by restricting the sources of content.

Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://trusteddomain.com;"

2️⃣ X-Frame-Options

Prevents **clickjacking attacks** by blocking your site from being embedded in iframes.

Header always set X-Frame-Options "SAMEORIGIN"

3️⃣ X-Content-Type-Options

Stops browsers from interpreting files as something else than declared (MIME sniffing).

Header always set X-Content-Type-Options "nosniff"

4️⃣ Strict-Transport-Security (HSTS)

Forces browsers to only connect using **HTTPS**, preventing man-in-the-middle attacks.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

5️⃣ Referrer-Policy

Controls how much referrer information is sent with requests.

Header always set Referrer-Policy "no-referrer-when-downgrade"

6️⃣ Permissions-Policy

Restricts browser features like camera, microphone, and geolocation.

Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

📌 Adding Security Headers in WordPress

✅ Method 1: Using .htaccess (Apache)

Edit your .htaccess file and add:

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

✅ Method 2: Using Nginx

Add these lines to your nginx.conf file:

server {
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
}

✅ Method 3: Using a WordPress Plugin

Install a plugin like:

Security Headers Plugin
HTTP Headers
Really Simple SSL

✅ Method 4: Adding via functions.php

You can also add headers using PHP:

function add_security_headers() {
    header("Content-Security-Policy: default-src 'self'; script-src 'self'");
    header("X-Frame-Options: SAMEORIGIN");
    header("X-Content-Type-Options: nosniff");
    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
    header("Referrer-Policy: no-referrer-when-downgrade");
    header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
}
add_action('send_headers', 'add_security_headers');

📌 How to Test Security Headers

After adding the headers, test them using:

🔹 https://securityheaders.com/
🔹 Browser Developer Tools (Network → Headers)
🔹 curl -I https://yourwebsite.com

✅ Conclusion

Implementing security headers is an easy way to strengthen WordPress security. By adding them via .htaccess, nginx.conf, or plugins, you can reduce vulnerabilities and protect user data.

Have questions? Let me know! 🚀

Top 18 Best Web Hosting Services In 2024: Despite there are multiple web hosting providers available in the market, choosing the best one is really a hard nut to crack!! Because almost all service providers are offering their services with the same features and quality.
How to start your own Crypto currency website: For a cryptocurrency news website, choosing the right Content Management System (CMS) is crucial for managing content effectively, ensuring security, and providing a great user experience. Here are some of the best CMS options tailored for such a site, each with its unique strengths:
The Evolution of Coffee Brewing Methods: A Historical Perspective: Coffee has been brewed and enjoyed for centuries, with various methods evolving over time to create the perfect cup of joe. From early methods like the Ibrik method and coffee pots for coffee houses to modern technologies like the AeroPress and Hario V60, the world of coffee brewing has come a long way.
Stop WordPress from Creating Extra Cropped Image Sizes: Whenever you upload an image to your WordPress site through the media library, it automatically creates and stores multiple additional versions of that image. If your site doesn’t utilize these extra image sizes, they will consume valuable storage space and increase the size of your server backups.
Explain WordPress Portfolio and how to created them: WordPress portfolios are digital showcases for individuals or businesses to display their work, projects, or professional accomplishments. This feature is particularly useful for creatives, freelancers, and agencies looking to exhibit their skills or services in a visually appealing and organized manner. Portfolios in WordPress can be created using various methods, including themes that come with built-in portfolio functionalities, plugins that add portfolio features, or custom coding for a more personalized approach.
15 Essential WordPress Plugins For Every Site: Plugins are essential for every type of website, as they provide additional features and customization options that are not available in the core WordPress platform. A study by CodeinWP found that the average WordPress site has 20 active plugins, indicating the importance of plugins in website development.
SAILING and YACHTING: Awesome Sailing Vlogs for the Enthusiast
Comparing Google and Microsoft’s Success in Capitalizing on Generative AI: The buzz of interest in AI services helped drive revenue for Microsoft’s biggest unit, cloud services—up by 7 percentage points compared to a year ago—and Microsoft’s overall sales rose 17 percent to nearly $62 billion. It also gained cloud market share, Nadella added. The number of $100 million cloud deals that Microsoft landed increased 80 percent during the quarter compared to the same period a year ago, and $10 million deals doubled.
The Best WordPress Hosting Solution in Australia: Each of our WordPress hosting solutions are fine-tuned, blazing fast and are ready for you! Starting a WordPress website has never been easier with our free 1-click WordPress installation, enterprise-grade security and an assortment of tutorials and helpful guides to get you started, all backed by our 99.9% uptime guarantee.
Elementor vs Beaver Builder: A Comparison of Design Flexibility and Performance in WordPress: Elementor and Beaver Builder are two of the most widely recognized options, each providing distinct features that cater to varying user requirements. This article conducts a comprehensive comparison of these tools, examining their design flexibility, performance metrics, and overall user experience.
The Best Contact Form Plugins for WordPress to Easily Manage User Inquiries: In an effort to improve user interactions on WordPress websites hosting, the examination of contact form plugins becomes essential. This article aims to present an overview of the top 5 contact form plugins available for WordPress, highlighting their features and pricing structures to facilitate an well-considered choices process.
What are the 20 best Joomla plugins: Joomla plugins are small, task-specific extensions that enhance or modify the core functionality of a Joomla website. They operate as event-driven scripts, listening for specific “events” triggered by Joomla or its components and executing corresponding actions. Plugins are a crucial part of Joomla’s extensibility, allowing developers to add features or customise behaviour without altering the core Joomla code.
How to design a strong off-page SEO strategy: Lessons learnt from earning over 50,000 contextual links for thousands of websites in the toughest niches. In 2023, virtually every business that has a website is prioritizing their investment in SEO. The reason being, amidst the chaos of the current year, customers are resorting to online channels for safe purchasing, and optimizing their online presence is a surefire way to gain an edge over rivals. While some firms have set up internal teams, and others have hired external agencies to boost their search engine rankings, a documented off-page SEO strategy is still a rarity among most businesses.
What are WordPress Plugins? WordPress plugins are modular pieces of software that can be added to a WordPress site to extend or enhance its functionality without modifying the core WordPress code. They allow website owners to add features, improve performance, and customise the behaviour of their websites easily, catering to a wide range of needs, from SEO and security to e-commerce and design enhancements.