» Home » uncategorized » Adding missing security headers to WordPress

Adding missing security headers to WordPress

Leave a Comment / uncategorized / By

Are you getting the error message in WordPress>Tools>Site Health “Not all recommended security headers are installed”, followed by

Your website does not send all recommended security headers.

  • Upgrade Insecure Requests
  • X-XSS protection
  • X-Content Type Options
  • Referrer-Policy
  • X-Frame-Options
  • Permissions-Policy
  • HTTP Strict Transport Security

What you will need

You will need to access & edit your .htaccess file. This file only available on Apache servers via FTP. 

  • FTP Credentials for your server
  • FTP Software of choice, I use FileZilla

Manually adding security headers

Open your FTP client and got to the root of your website. Usually /public_html or where your wp-admin, wp-content folders are located.

  • If you can’t find/see the .htaccess file, make sure you can view all hidden files. Search for how to fix this in your FTP software
  • Download .htaccess then make a copy of it for backup
  • Open the .htaccess file in a text editor. Copy the Security Headers from below and paste into your .htaccess file after the Realy Simple SSL header if you have it
  • Sometimes you can’t save a file starting with a dot. Save the file without the dot and continue
#BEGIN Security Headers
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-XSS-Protection "0"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set Permissions-Policy: ""
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS

Header always set Expect-CT "max-age=7776000, enforce"
#END Security Headers
  • Upgrade-Insecure-Requests – This header is an additional method to force requests to your domain over https://
  • X-XSS-Protection – Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected
  • X-Content-Type-Options – This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe)
  • No Referrer When Downgrade header – Only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP)
  • HSTS – When this header is set on your domain, a browser will do all requests to your site over HTTPS from then on
  • Expect-CT, Certificate Transparency – A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework., preventing fraud

Uploading and Troubleshooting

Before uploading, make sure you have a back-up of your current .htaccess file.

  • Open your FTP software and connect to your site
  • Change the name of your .htaccess file to something like .htaccessOLD
  • Upload your edited file

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.