How to Add HTTP Security Headers in WordPress
Would you like to add HTTP security headers to your WordPress website? HTTP security headers allow you to add an extra layer of security to your WordPress website. They can keep normal activities from affecting your website. In this beginner’s aide, we’ll show you how to add HTTP security headers to your WordPress website easily.
What Are HTTP Security Headers?
HTTP security headers are a security measure that allows your website server to forestall some normal security threats before they affect your website. Basically, when a user visits your website, your web server sends an HTTP header reaction to their program. This reaction enlightens programs concerning blunder codes, cache control, and other statuses.
The normal Header reaction gives a status called HTTP 200. Your website will then load in the user’s program. However, if your website is having issues, your web server may send a different HTTP header. For example, it could send an internal server mistake 500 or a 404 not found blunder code.
HTTP security headers are a subset of these headers and are used to forestall normal threats on websites, for example, clickjacking, cross-site programming, hacker attacks, and more. We should take a brief glance at HTTP security headers and what they do to safeguard your website.
HTTP Strict Transport Security ( HSTS): The HTTP Strict Transport Security (HSTS) header tells internet browsers that your website uses HTTP and ought not to be loaded using an insecure protocol like HTTP.
If you have migrated your WordPress website from HTTP to HTTPS, this security header allows you to keep the website from loading in programs in HTTP.
- X – XSS Protection: The X-XSS Protection header allows you to forestall cross-site programming from being loaded on your WordPress website.
- X – Frame Options: The X-Frame-Options security header forestalls cross-domain iframes or click-jacks.
- X-Content-Type choices :
- X-Content-Type-Options block emulates type sniffing.
That said, we should take a glance at how to add HTTP security headers in WordPress easily.
Adding HTTP Security Headers in WordPress
HTTP security headers work best when set at the web server level (ie, your WordPress hosting account). This allows them to be activated at the same time as a normal HTTP demand, maximizing the advantage.
They work far superior if you use a DNS-level web application firewall like Sucuri or Cloudflare. We will show you each method, and you can pick the method that suits you.
Adding HTTP Security Headers in WordPress Using Sucuri
Sucuri is the best WordPress security plugin on the market. If you also use their website firewall administration, you can set HTTP security headers without writing code. First, you really want to pursue a Sucuri account. This paid help accompanies a website firewall, security plugin, CDN, and malware removal guarantee.
At the point when you join, you’ll answer straightforward inquiries, and Sucuri’s documentation will assist you with setting up the Web Application Firewall on your website. After registration, you want to install and activate the free Sucuri plugin. Once activated, go to the Sucuri Security » Firewall (WAF) page and enter your Firewall API key. You can find this information in your account on the Sucuri website.
Click the Save button to save your changes. Then, you want to go to your Sucuri account dashboard. From here, click on the Settings menu at the top and then go to the Security tab
From here, you can pick three rule sets. Default insurance, HSTS, and full HSTS. You will see which HTTP security actions apply to each standard set. Click the “Save Changes to Additional Titles” button to apply the changes.
Sucuri now adds your picked HTTP security headers in WordPress. Because it is a DNS-level WAF, your website traffic is shielded from hackers even before it reaches your website.
Adding HTTP Security Headers in WordPress Using Cloudflare
Cloudflare gives free website firewall and CDN administrations. Its free plan doesn’t have advanced security features, so you’ll have to upgrade to its more costly Pro plan. When Cloudflare is enabled on your website, go to the SSL/TLS page under your Cloudflare account dashboard and then go to the Edge Certificates tab.
Now, go to the HTTP Strict Transport Security (HSTS) area and click on the “Enable HSTS” button.
This will spring up with instructions telling you that you want to enable HTTPS on your WordPress blog before using this feature. Click the Next button to continue; you will see the choices to add HTTP Security Headers.
From here, you can enable HSTS, the anti-sniff header, implement HSTS on subdomains (if they use HTTPS), and preload HSTS. This method gives basic assurance by using HTTP security headers. However, it doesn’t allow you to add X-Frame choices, and Cloudflare doesn’t have an interface to do as such.
You can, in any case, do this by creating content using the Workers property. However, creating HTTPS Security Header content may cause surprising issues for beginners, which is the reason we don’t suggest it.
Adding HTTP security headers in WordPress using the “htaccess” file.
This method allows you to set HTTP security headers in WordPress at the server level. You are expected to alter the htaccess file. on his website. This is a server configuration file used by the most widely recognized Apache server software.
Basically, connect to your website using an FTP client or file manager in your hosting control panel. You ought to have the htaccess file in your website’s main folder. Find and alter it.
This will open the file in a plain word processor. At the bottom of the file, you can add code to add HTTPS security headers to your WordPress website. You can use the following sample code as a starting point; it enhances the most normally used HTTP security headers with settings. Remember to save your changes and visit your website to ensure everything works as anticipated. Note:
Incorrect headers or clashes in the htaccess file. It may cause Internal Server – 500 mistakes on most web has.
Adding HTTP Security Headers in WordPress Using a Plugin
This method is somewhat successful because it depends on a WordPress plugin to modify headers. However, it is also the easiest way to add HTTP security headers to your WordPress website. In the first place, you really want to install and activate the Redirection plugin. Upon activation, the plugin will show an arrangement wizard that you can follow to launch the plugin. Afterward, go to Tools » Redirection and the “Site” tab.
In the following stage, you really want to look down to the HTTP Headers area and click on the “Add Header” button. You want to choose the “Add Security Presets” from the drop-down menu.
After that, you have to click it again to add these choices. Now, you’ll see a predefined rundown of HTTP security headers appear in the table.
These headers are enhanced for security; you can review them and change them if necessary. At the point when you’re finished, remember to click the Update button to save your changes. You can now visit your website to make sure everything is working fine.
How to Really Look at HTTP Security Headers for a Website
Now that you have added HTTP security headers to your website. You can test your settings using the free Security Headers tool. Essentially enter your website address and click the scan button.
It then really looks at the HTTP security headers for your website and shows you a report. The tool delivers a purported grade label that you can disregard because most websites get a B or C at best without affecting the user experience.
It shows you which HTTP security headers are sent by your website and which security headers are not included. You’re finished if the security headers you want to set are recorded there.
We trust this article assists you with learning how to add HTTP security headers in WordPress.