Updated: September 14, 2020 by Agnes Talalaev
WordPress Security Headers (or HTTP security headers) were created to protect applications from frequent and common attacks without the need to add or change the code of your applications.
Website or web application security has multiple aspects that need focus and work and one good way to start is by adding security headers.
WordPress security headers are another layer of security to your WordPress site. Security headers are very easy to add or implement and do not need a lot of technical skill.
Security headers for WordPress help you to provide another layer of security to mitigate attacks and protect from various security vulnerabilities.
In this blog post, we will guide you through different types of security headers and help you to add them to your WordPress site to make your site more secure.
If you use WebARX you can easily enable the “Add security headers” option on the WebARX hardening tab. (It only works with sites run by Apache (requires .htaccess). Check how to do that here.
HTTP security headers are designed to restrict modern web browsers from encountering security vulnerabilities. Below you will find an HTTP response headers related to security and how to add security h
HTTP Strict Transport Security (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Example:
Strict-Transport-Security: {parameter1} ; {parameter2}
max-age
parameter will set the time, in seconds, for the browser to remember that this site is only to be accessed using HTTPS.
includeSubDomains
is an additional parameter that can be used to apply this rule to all of the site’s subdomains as well.
You can add HSTS security header to a WordPress site by adding few lines of code to Apache .htaccess file or to nginx.conf file. You can see the snippets for both server types below.
<VirtualHost 192.168.1.1:443>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
</VirtualHost>
add_header Strict-Transport-Security max-age=31536000;
X-Frame-Options protects visitors against Clickjacking attacks. Using iframe, the content of your site could be loaded inside another website.
This could be abused maliciously when visitors click on a link they believe to be harmless when actually they’re navigating inside your website. This can be highly dangerous when the user has previously logged in to a restricted area on your site.
Example:
X-Frame-Options: {parameter}
deny
parameter will completely deny rendering within the iframe.
sameorigin
parameter will deny rendering if origin mismatches.
allow-from: DOMAIN
parameter allows rendering if it is framed by frame loaded from specified domain
You can add X-Frame-Options security header to your WordPress site by configuring the .htaccess file (Apache). With NGINX you need to edit nginx.conf file.
Setting sameorigin is recommended.<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
add_header X-Frame-Options "SAMEORIGIN" always;
X-XSS-Protection security header allows you to configure the XSS protection mechanism found in popular web-browsers. As an example, this could prevent session cookie stealing with persistent XSS attacks when a logged-in visitor is visiting a page with XSS payload.
Example:
X-XSS-Protection: {paremeter1}; {parameter2}
0
parameter disables the filter.
1
parameter enables the filter.
1; mode=block
enables the filter with the 1
parameter and additionally blocks the website to be rendered with mode=block
.
1; report=https://your-report-url/
enables the filter with 1
report=
You can add an X-XSS-Protection security header to your WordPress site by configuring the .htaccess file (Apache). With NGINX you need to edit
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
add_header X-Xss-Protection "1; mode=block" always;
Setting the X-Content-Type-Options header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. It has a lot of configuration options and potential parameters, but the most common parameter used is nosniff
Example:
X-Content-Type-Options: nosniff
You can add the X-Content-Type-Options security header to your WordPress site by configuring the .htaccess file (Apache). With NGINX you need to edit
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>
NGINX Configuration
add_header X-Content-Type-Options "nosniff" always;
Content Security Policy header helps you reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load.
Similarly to X-Content-Type-Options, Content-Security-Policy header has a lot of configuration options and potential parameters, but at this point, we will mention the ones in the example (which is recommended for beginners).
Example:
Content-Security-Policy default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
default-src
parameter is the default policy for loading content such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media.
script-src
parameter Defines valid sources of JavaScript.
connect-src
parameter applies to XMLHttpRequest (AJAX), WebSocket or EventSource. If not allowed the browser emulates a 400 HTTP status code.
img-src
parameter defines valid sources of images.
style-src
parameter Defines valid sources of stylesheets.
You can add
Header set Content-Security-Policy default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";
Since there are more than one security header for WordPress, there is no one-way fix to add them all. You can learn how to add different security headers to your WordPress site from a guide here.
You can add an X-XSS-Protection security header to your WordPress site by configuring the .htaccess file (Apache). With NGINX you need to edit nginx
.conf file. To see how to configure it in Apache or NGINX see more here.
You can add the X-Content-Type-Options security header to your WordPress site by configuring the .htaccess file (Apache). With NGINX you need to edit nginx
.conf file. To see how to configure it in Apache or NGINX see more here.
You can add Content
-Security-Policy security header to your WordPress site by configuring the .htaccess file (Apache). With NGINX you need to edit nginx.conf file. To see how to configure it in Apache or NGINX see more here.
Protect your websites from malicious traffic - set-up in under 3 minutes.
WebARX is compatible with the following platforms: