How to Add HTTP Security Headers in WordPress

One of the most important parts of keeping your website secure is protecting it from malicious activity. HTTP security headers are an effective way to do just that. 

They are special text instructions that tell your web server how to handle incoming requests. When used correctly, they can help prevent malicious activity and ensure your website continues to perform at its best.

Security is one of the most important issues facing website owners today. Every day, millions of websites are attacked, and thousands are taken down or damaged. 

It can be hard to know where to start when improving your website’s security, but adding an HTTP security header is a good first step.

What are HTTP Security Headers?

HTTP security header is a set of HTTP response header fields that allow you to add an extra layer of security to your website. They can help block common malicious activity from affecting your website performance.

There is a variety of HTTP security header that you can add to your WordPress site. Some of the most common HTTP security headers include:

– HTTP Strict Transport Security (HSTS)

– X-Frame-Options

– X-XSS-Protection

– Content Security Policy WordPress(CSP)

Each of these HTTP security headers provides a layer of protection against different types of malicious activity. For example, HSTS can help protect your website from man-in-the-middle attacks, while CSP can help protect your website from cross-site scripting attacks.

How Can HTTP Security Headers Help My Website Security?

HTTP security headers can help improve your website security in a few ways:

1. They help protect your website from common attacks.

HTTP security headers can help protect your website from a variety of common attacks, such as man-in-the-middle attacks, cross-site scripting attacks, and SQL injection attacks.

2. They help improve your website’s performance.

HTTP security headers can also help improve your website’s performance by blocking malicious activity that can slow down your website.

3. They provide an extra layer of security.

HTTP security headers provide an extra layer of security that can help protect your website from malicious activity. By adding HTTP security headers to your WordPress site, you can help improve its overall security.

How to Add HTTP Security Headers in WordPress

Now that you understand HTTP security headers and how they can help improve your website security, let’s look at the steps on how to add HTTP security headers in WordPress.

1. Add HTTP Security Header in WordPress Using Cloudflare

Cloudflare is a free service that protects and speeds up websites. It acts as a firewall and a CDN, automatically distributing website content to servers closest to the person visiting the website. 

The free plan provides basic website security and speed improvements. For advanced security features, such as website firewall management and advanced malware removal, you will need to upgrade to a paid plan

See our tutorial on how to install Cloudflare’s free CDN in WordPress to get started.

After activating the Cloudflare network Open the Cloudflare website on your browser. Come to the dashboard and click on SSL/TLS >> Edge Certificate.

Change HSTS settings

Now, Scrawl down a little bit and click on Change HSTS Setting after that you can see this type of window.

acknowledgment form

Here you can see the acknowledgment form you don’t need to do anything just click on Understand and Next.

Adding HSTS headers through cloudflare

Now here make the changes as shown in image Enable HSTS, Maxage header (12 months), Apply HSTS policy to a subdomain, Preload, and click on save.

You have successfully added one HSTS Security Header to your website. Now we have to add more security headers.

2. Add HTTP Security Headers in WordPress using .htaccess

This approach allows you to specify HTTP security header at the server level in WordPress.

It necessitates editing your website’s .htaccess file. It’s a server configuration file for Apache, the most used web server software.

Simply use an FTP client or the file management program in your hosting control panel to connect to your website. You must identify and edit the .htaccess file in the root folder of your website.

The file will be opened in a plain text editor as a result of this. You can add the code to add the HTTPS security header to your WordPress website at the bottom of the file.

As a starting point, you can use the following sample code, which optimizes the most commonly used HTTP security header:

<ifModule mod_headers.c>

Header set Strict-Transport-Security “max-age=31536000” env=HTTPS

Header set X-XSS-Protection “1; mode=block”

Header set X-Content-Type-Options nosniff

Header set X-Frame-Options DENY

Header set Referrer-Policy: no-referrer-when-downgrade


Remember to save your modifications and check your website to ensure everything is operating properly.

htaccess file

IMP: On most web hosts, incorrect headers or conflicts in the .htaccess file can result in a 500 Internal Server Error.

3. Adding HTTP Security Headers in WordPress using Redirection Plugin

The first step is to find the Security Headers WordPress Plugin. I recommend Redirection because it’s completely free and very easy to use. 

Once you’ve found a plugin, follow the instructions to install and activate it. You may need to configure some settings, but most plugins will prompt you to add HTTP security headers when you activate them.

When you activate the plugin, it will launch a setup wizard that you can simply follow to set up the plugin. Switch to the ‘Site’ tab on the Tools » Redirection page after that.

Redirection plugin

After that, scroll down to the HTTP Headers section at the bottom of the page and click the ‘Add Header’ button. Select the ‘Add Security Presets’ option from the drop-down menu.

Adding HTTP headers.

After that, you’ll have to click one more to add those selections. The table will now provide a pre-populated list of HTTP security headers.

Add HTTP security headers using redirection plugin.

These headers have been optimized for security, and you can review and modify them as needed. When you’re finished, remember to click the Update button to save your changes.

You can now go to your website and double-check that everything is working properly.

How to Check HTTP Security Headers for your Website

Now that you’ve added the HTTP Security header to your site, you’re ready to go. The free Security Headers tool can be used to test your configuration. Simply type in the URL of your website and hit the Scan button.

Checking HTTP security headers

It will then run a check on your website’s HTTP security header and present you with a report. The tool will generate a so-called grade label, which you can disregard because most websites will only receive a B or C rating, which will have little impact on user experience.

It will show you which HTTP security header your website sends and which security headers it does not send. You’re done if the security headers you wished to set are displayed there.


I hope this article helped you learn how to add HTTP security headers in WordPress. You may also want to see our expert pick of the best WordPress plugins for websites.

If you liked this article, then please subscribe to our blog and share it with your friends. You can also find us on Twitter and Facebook.

Rishabh Kolhe
Rishabh Kolhe

I am the founder of WealthyWork, I started my digital marketing journey in 2017. First, I started my career with SEO in Culturelligence, then after some time, I learned more about Digital Marketing. I worked as a Digital Marketer with Agile PeopleOps, a US-based HR organization. Now I am working in WealthyWork, We all specializing in Digital Marketing Services.

Articles: 101