How to Add HTTP Security Headers in WordPress

10 Jan, 2024

Would you like to add HTTP security headers to your WordPress website?

With HTTP security headers, your WordPress website will have an extra layer of protection. This will prevent malicious activity from affecting your website performance.

The tutorial below will walk through adding HTTP security headers in WordPress.

What Are HTTP Security Headers?

HTTP Security Headers are a security measure that enables your website’s server to block common security threats before they harm your website.

To start, let’s understand what an HTTP header is.

The HTTP header message is a response your server sends to a user’s browser every time they visit your website. These responses provide browsers with information about error messages, cache control, and other statuses.

An HTTP 200 response is the response code for a normal header response. Following that, your site gets loaded into the browser.

The web server may send a different HTTP header if there is trouble with your website. The web server may send an error code of the 500 internal server error or 404 not found messages in these cases.

These headers include HTTP security headers. Their purpose is to protect websites from various security risks such as clickjacking, cross-site scripting, brute force attacks, and more.

In this article, let’s explore HTTP security headers and describe their functions to protect your website.

HTTP Strict Transport Security (HSTS)

Strict Transport Security (HSTS) header tells browsers your site uses HTTPS, while unencrypted HTTPS is not permitted during website loading. Plain HTTP (without S) is an example of an unencrypted connection.

You can use this security header to prevent your WordPress website from loading on HTTP if you have migrated it from HTTP to HTTPS.

X-XSS Protection

You can block cross-site scripting using the XSS Protection header in WordPress.


The X-Frame-Option security header prevents cross-domain iframes or clickjacking attempts.


With the X-Content-Type-Options header, you can block content mime-type sniffing.

In the next section, we’ll see how to add HTTP security headers to your WordPress site easily.

How to Add HTTP Security Headers in WordPress

It is best to configure HTTP security headers on your webserver (i.e., your WordPress hosting account). As a result, they can be triggered early on with a typical HTTP request and maximum benefits.

If you use a DNS-based application firewall like Cloudflare, then they work even better. I will show you each approach, and you can select which one is best for you.

Rovity Adds HTTP Security Headers Default at the Server Level

Yes, that’s correct. Remember I said adding these security headers at the server level is the most optimized and robust method?

Rovity adds those necessary security headers automatically for you. If your website is hosted with us, you don’t need to bother about adding them.

If your website is hosted somewhere else, keep reading and add those headers yourself.

1 – How to Use Cloudflare to Add HTTP Security Headers Into WordPress

Cloudflare provides free website security firewall services and CDN solutions. They offer their free plan without advanced security features, so you have to purchase their Pro plan for added advantages.

In our tutorial, we show you how to set up Cloudflare to maximize its performance.

Edge Certificates in Cloudflare

Switch to the Edge Certificates tab under the SSL/TLS section of your Cloudflare account dashboard.

Click the Enable HSTS button on the HTTP Strict Transport Security (HSTS) section.

An instruction box will tell you to configure your WordPress site with HTTPS before using this feature. Continue by clicking the Next button, and you will have the option to add HTTP security headers.

Enable HSTS in Cloudflare

You may enable HSTS, set the no-sniff header, apply HSTS to subdomains, and preload HSTS here.

This method uses HTTP security headers for essential protection. However, it does not allow you to add the X-Frame-Options, and Cloudflare does not have a user interface that would allow you to do this.

It is possible to accomplish that by creating a script by using the Workers feature. I would, however, discourage the creation of an HTTPS security header script for beginners because it may cause unexpected issues.

2 – How to Use .htaccess to Add HTTP Security Headers Into WordPress

With this method, you can control how WordPress handles HTTP security headers at the server level.

You’ll need to edit .htaccess on your website. This file is the most commonly used configuration file for the Apache or LiteSpeed webserver.

Then use the File Manager in the DirectAdmin control panel or an SFTP client to connect to your website. Within your web page’s root folder, you need to find the .htaccess file and edit it.

Add Security Headers in htaccess

In this file, you can add HTTPS security headers to your WordPress website.

As a starting point, you can use the following sample code, which will set the most commonly used HTTPS security headers at the optimal level.

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade

Make sure to save your changes and visit your website to check everything works correctly. A 500 internal server error may occur if the .htaccess file contains an incorrect or conflicting header.

3 – How to Use WordPress Plugins to Add HTTP Security Headers

As this method relies on WordPress’s plugin, it’s not as effective as the previous method. But it’s also one of the easiest ways to add HTTP security headers to your WordPress site.

The first thing you need to do is install and activate the Redirection plugin. Please see our detailed instructions for installing a WordPress plugin.

After activating the plugin, a set-up wizard appears that you can follow to install the plugin. Once that is done, click on the Site tab on the Tools > Redirection page.

HTTP Headers in Redirection Plugin

To change HTTP Headers, you must scroll down the page to the bottom and click the Add Header button. Then select the Add Security Presets option from the drop-down menu.

You will have to click again on it to add the available options. You can see a preset list of HTTP security headers appear in the table now.

Add HTTP Headers in Redirection Plugin

These headers have been optimized for security purposes. These headers can be reviewed and modified if you wish. Remember to click the Update button after you have finished making your changes.

Now you can go to your website and make sure it works as expected.

How to Check a Website’s HTTP Security Headers

I assume that you have added HTTP Security headers to your website. The free Security Headers tool provides an easy way to test your configuration. Just enter your URL and hit the Scan button.

This tool will then assess your website for HTTP security headers and present a report to you.

I am using Rovity’s website in this example. This website is using the same default HTTP Security Headers that we deployed globally. This will be the same for your websites as well if you are hosted on our servers.

Security Headers Security Report Summary

This tool will tell you which HTTP security headers your website is sending and which ones are not. Once you find the security headers that you want to set on this page, you’re done.

We hope you found this tutorial helpful in learning how to add HTTP security headers to WordPress.

If you enjoyed this tutorial, then you’ll love Rovity and our fast-growing premium shared hosting on the cloud. Check our subscription plans.

Jafar Muhammed

Jafar Muhammed has 10+ years of experience in WordPress, web hosting, domain names, DNS, CDN, server administration, etc. He is an open web advocate. He is the CEO of Rovity, the fastest-growing premium shared hosting startup in India.