How to Add HTTP Security Headers in WordPress (Beginner’s Guide)

If your website is on WordPress platform then you should care more about website security. HTTP security headers allow you to add extra layer to your WordPress site. They help to block malicious activity and save from the attackers.

Developer Guidance guide you How to easily add HTTP security headers in WordPress.
What are HTTP Security Headers?
HTTP security headers are a security measure that allows your website’s server to prevent from some common threats.
Fundamentally, when a client visits your site, your web sends sends an HTTP header response back to their browser. This response tells browser about concerning mistake codes, cache control, and other situations with.
The normal header response issues a status called HTTP 200. If your website is having difficulty then your web server may send a different HTTP header.

For example, it may send a 500 internal server error, or a not found 404 error code.

HTTP security headers are a subset of these headers and are utilized to keep sites from normal
and prevent from danger like click-jacking, cross-site scripting, brute force attacks, and more.

We should have a speedy look at what HTTP security headers resemble and how they deal with ensure your site.

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) header tells internet browsers that your site utilizes HTTPs and should not be loaded using insecure protocol like HTTP.

In the event that you have moved your WordPress site from HTTP to HTTPs, this security header permits you to prevent programs from stacking your site on HTTP.

X-XSS Protection

X-XSS Protection header allows you to block cross-site scripting from loading on your WordPress website.


X-Frame-Options security header forestalls cross-space iframes or click-jacking.


X-Content-Type-Options blocks content emulate type sniffing.

That being said, we should investigate how to effortlessly add HTTP security headers in WordPress.

Adding HTTP Security Headers in WordPress

HTTP security headers work best when they are set at the web worker level (i.e your WordPress facilitating account). This permits them to be set off almost immediately during a regular HTTP demand and gives most extreme advantage.

They work far better in the event that you are utilizing a DNS-level site application firewall like Sucuri or Cloudflare. We’ll show you every strategy, and you can pick one that turns out best for you.

Here are fast connects to various techniques, you can leap to the one that suits you.
Sucuri is the best WordPress security module available. Assuming you are utilizing their site firewall administration as well, you can set HTTP security headers without composing any code.

To start with, you should pursue a Sucuri account. It’s anything but a paid help that accompanies a cut off level site firewall, security module, CDN, and malware evacuation ensure.

During join, you will address basic inquiries, and Sucuri documentation will help you set up the site application firewall on your site.

In the wake of joining, you need to introduce and actuate the free Sucuri module. For additional subtleties, see our bit by bit guide on the most proficient method to introduce a WordPress module.

Upon enactment, go to Sucuri Security » Firewall (WAF) page and enter your Firewall API key. You can find this information under your account on Sucuri website.
Click on the Save button to store your changes.

Next, you need to switch to your Sucuri account dashboard. From here, click on the Settings menu on top and then switch to the Security tab.

From here you can pick three arrangements of rules. The default security, HSTS, and HSTS Full. You will see which HTTP security headers will be applied for each set of rules.

Snap on the ‘Save Changes in The Additional Headers’ catch to apply your changes.

That is all, Sucuri will currently add your chose HTTP security headers in WordPress. Since it’s anything but a DNS level WAF, your site traffic is shielded from programmers even before they arrive at your site.

Adding HTTP Security Headers in WordPress using Cloudflare

Cloudflare offers a fundamental free site firewall and CDN administration. It needs progressed security highlights in their free arrangement, so you should move up to their Pro plan which are more costly.

To include Cloudflare on your site, see our tutorial on how to add Cloudflare free CDN in WordPress

When Cloudflare is dynamic on your site, go to the SSL/TLS page under your Cloudflare account dashboard and afterward change to the Edge Certificates tab.

Setting up HTTPS security headers in Cloudflare

Presently, look down to the HTTP Strict Transport Security (HSTS) segment and snap on the ‘Empower HSTS’ button.

Empower HSTS on Cloudflare

This will raise a popup with guidelines revealing to you that you should have HTTPS enabled on your WordPress blog before using this feature. Click on the Next button to proceed, and you will see the choices to add HTTP security headers.

Enable HTTPS security headers in Cloudflare

From here, you can empower HSTS, no-sniff header, apply HSTS to subdomains (in the event that they are utilizing HTTPS), and preload HSTS.

This strategy gives fundamental assurance using HTTP security headers. In any case, it doesn’t allow you to add X-Frame-Options and Cloudflare doesn’t have a UI to do that. you can do in any case that by making a content using the Workers highlight.

Adding HTTP Security Headers in WordPress using .htaccess

This technique permits you to set the HTTP security headers in WordPress at the server level.

It requires you to edit the .htaccess file on your site. It is a server configuration file used by the most commonly used Apache webserver software.

Simply connect to your website using an FTP client, or the file manager app in your hosting control panel. In the root folder of your website, you need to locate the .htaccess file and edit it.

Alter the .htaccess file in WordPress

This will open the document in a plain text editor . At the lower part of the file, you can add the code to add HTTPS security headers to your WordPress site.

You can utilize the accompanying example code as a beginning stage, it sets the most regularly utilized HTTPs security headers with ideal settings:

Note: Incorrect headers or clashes in .htaccess record may trigger 500 Internal server error on most web hosts.

Adding HTTP Security Headers in WordPress using Plugin

This strategy is somewhat less successful as it’s anything but a WordPress module to change the headers. Notwithstanding, it is additionally the simplest method to add HTTP security headers to your WordPress site.

To begin with, you need to introduce and enact the Redirection module. For additional subtleties, see our bit by bit guide on the best way to introduce a WordPress module.

Upon initiation, the module will show a set up wizard that you can simply track with to set up the module. From that point onward, go to Tools » Redirection page and change to the ‘Site’ tab.

Site settings in Redirection module

Then, you need to look down to the lower part of the page to the HTTP Headers area and snap on the ‘Add Header’ button. Starting from the drop menu, you need to choose ‘Add Security Presets’ choice.

Adding header presets utilizing Redirection

From that point forward, you should tap on it again to add those alternatives. Presently, you will see a preset rundown of HTTP security headers show up in the table.

HTTP security header presets

These headers are upgraded for security, you can survey them and change them if necessary. Whenever you are done, remember to tap on the Update catch to save your changes.

You would now be able to visit your site to ensure that all is working great.