Strengthening WordPress Security with HTTP Security Headers

When running a WordPress website, one of the most effective ways to enhance its security at the server level is by implementing HTTP security headers. These headers instruct the browser on how to handle your website’s resources, reducing common vulnerabilities such as cross‑site scripting (XSS), clickjacking, and MIME type sniffing.

Below, we will explain each security header used in the provided configuration and show you how to add them to your WordPress site.

How to Add Security Headers in WordPress

1. Locate Your .htaccess File
   • The .htaccess file is usually located in the root directory of your WordPress installation.
   • Access your site files via FTP/SFTP or through your hosting control panel (such as cPanel or Plesk).
   • Always create a backup of your .htaccess file before making any changes.
2. Add the Following Code to .htaccess
   Place this code near the top of your .htaccess file, but below the # BEGIN WordPress and # END WordPress comments to prevent WordPress from overwriting it:

3. Save and Upload
   Save the .htaccess file and upload it back to your server if edited locally. Clear your browser cache and test your site to ensure everything works correctly.

Explanation of Each Security Header

1. Content-Security-Policy (CSP)

Directive Used: upgrade-insecure-requests

• Instructs the browser to automatically upgrade all insecure (HTTP) requests to secure (HTTPS) connections.
• This helps prevent mixed-content warnings and ensures all assets load over a secure channel.
  Impact: Visitors’ browsers will never load insecure resources if HTTPS is available.

2. X-XSS-Protection

Directive Used: 1; mode=block

• Enables the browser’s built-in cross-site scripting (XSS) filter and blocks the page if an XSS attack is detected.
  Impact: Reduces exposure to certain types of XSS attacks by instructing browsers to stop rendering suspicious scripts.

3. X-Frame-Options

Directive Used: SAMEORIGIN

• Prevents your site from being embedded inside an <iframe> on a different domain.
  Impact: Protects against clickjacking attacks, ensuring only your own domain can frame your pages

4. X-Content-Type-Options

Directive Used: nosniff

• Stops browsers from MIME-sniffing a response away from the declared content-type.
  Impact: Prevents attacks based on incorrect MIME type interpretation, ensuring browsers only execute files in their intended format.

5. Referrer-Policy

Directive Used: strict-origin-when-cross-origin

• Controls how much referrer information is included when navigating away from your site.
  Impact: Ensures that only the origin (and not the full URL) is sent as the referrer when users navigate to external sites, improving privacy without breaking functionality.

6. Permissions-Policy

Directive Used: geolocation=self

• Specifies which features and APIs can be used in the browser.
• In this case, only your own site (self) is allowed to use the geolocation API.
  Impact: Limits potential abuse of sensitive APIs by third-party iframes or scripts.

7. Strict-Transport-Security (HSTS)

Directive Used: max-age=31536000; includeSubDomains; preload

• Forces browsers to only use HTTPS when connecting to your site.
• max-age=31536000 means browsers should remember this rule for one year.
• includeSubDomains applies the rule to all subdomains.
• preload signals that your domain can be included in major browsers’ HSTS preload lists.
  Impact: Protects users from downgrade attacks and ensures a fully secure connection at all times.

Testing Your Security Headers

After implementing these headers:

• Use tools like SecurityHeaders.com or Observatory by Mozilla to test your site.
• Ensure your site functions normally and no critical assets are blocked.

Final Thoughts

By adding the above headers, you significantly enhance the security posture of your WordPress website. Each header serves a specific purpose, collectively guarding against common web vulnerabilities, protecting sensitive data, and ensuring that browsers handle your content in a secure and predictable manner.

For best results, always keep your WordPress core, themes, and plugins updated and complement these headers with other security measures such as a Web Application Firewall (WAF) and regular backups.