When you think about securing your WordPress site, you probably think about strong passwords, plugins, and firewalls. But there is a hidden layer of security that operates every time a visitor loads your page: HTTP Security Headers.
Most WordPress sites do not use these headers by default. This leaves them vulnerable to a wide range of browser-based attacks like Clickjacking, Cross-Site Scripting (XSS), and MIME sniffing.
Think of Security Headers as the “rules of engagement” your server gives to a web browser. Without them, the browser has to guess how to handle your content—and hackers love to exploit that guessing game.
In this guide, we will explain exactly what these headers are, why they are critical for your security score, and how to implement the top 5 headers on your WordPress site today.
What Are HTTP Security Headers?
When a user visits your website, their browser sends a Request to your server. Your server sends back a Response.
This response contains two things:
- The Body: The visible content (HTML, images, text).
- The Headers: Invisible metadata telling the browser how to display that content.
Security Headers are specific instructions included in that metadata. They tell the browser things like:
- “Only load scripts from this specific domain.”
- “Never open this site in an iframe.”
- “Force all connections to be encrypted (HTTPS).”
If these headers are missing, the browser defaults to “permissive” mode, which prioritizes compatibility over security.
The Top 5 Essential Security Headers
To harden your WordPress site, you should implement the following five headers. Let’s break down what each one does.
1. Strict-Transport-Security (HSTS)
The Problem:
Even if you have an SSL certificate, a user might type http://yoursite.com. Your server redirects them to https://, but in that split second before the redirect, a hacker can intercept the connection (a “Man-in-the-Middle” attack).
The Solution (HSTS):
This header tells the browser: “Never try to load this site over HTTP. Even if the user asks for it, automatically upgrade to HTTPS internally.”
2. X-Frame-Options
The Problem (Clickjacking):
A hacker can create a transparent <iframe> of your website and overlay it on a malicious page. When a user thinks they are clicking a “Win a Prize” button, they are actually clicking a hidden “Delete Account” button on your site.
The Solution:
This header tells the browser whether your site is allowed to be embedded in a frame.
DENY: Never allow framing.SAMEORIGIN: Only allow framing if the site doing it is the same as yours.
3. X-Content-Type-Options
The Problem (MIME Sniffing):
Sometimes, a hacker uploads a malicious script (like a .js file) but disguises it as an image (e.g., image.jpg). By default, browsers might “sniff” the file, realize it’s actually code, and execute it.
The Solution:
Setting this to nosniff forces the browser to trust the file extension. If it says it’s an image, treat it as an image—don’t try to run it as code.
4. Referrer-Policy
The Problem:
When a user clicks a link on your site that leads to an external site, their browser tells that new site where they came from (the “Referrer”). This can accidentally leak sensitive data included in your URLs (like session tokens or reset codes).
The Solution:
This header controls how much referrer information is sent.
strict-origin-when-cross-origin: Sends the full URL only to your own site, but only the domain name to external sites.
5. Content-Security-Policy (CSP)
The Problem (XSS):
Cross-Site Scripting (XSS) occurs when a hacker injects malicious JavaScript into your page. The browser runs it because it thinks the script came from you.
The Solution:
CSP allows you to create an “Allowlist” of approved sources. You can say: “Only load scripts from mysite.com and google-analytics.com. Block everything else.”
(Note: CSP is complex. Start with a basic policy to avoid breaking your site.)
How to Add Security Headers in WordPress
You don’t need a plugin to do this. The best way is to add them at the server level.
Method 1: Apache (.htaccess)
If your host uses Apache (most shared hosting does), edit your .htaccess file and add this block:
Apache
<IfModule mod_headers.c>
# 1. HSTS (Force HTTPS for 1 year)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# 2. X-Frame-Options (Prevent Clickjacking)
Header always set X-Frame-Options "SAMEORIGIN"
# 3. X-Content-Type-Options (Stop MIME Sniffing)
Header always set X-Content-Type-Options "nosniff"
# 4. Referrer-Policy (Protect Privacy)
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# 5. Basic CSP (Adjust as needed!)
Header always set Content-Security-Policy "default-src 'self'; img-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
</IfModule>
Method 2: Nginx
If you use a VPS or managed hosting with Nginx, add this to your server block config (/etc/nginx/sites-available/yoursite):
Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; img-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;
How to Verify Your Headers
After adding the code, you need to verify that the headers are actually being sent.
1. Browser Developer Tools
- Open your website.
- Right-click -> Inspect.
- Go to the Network tab.
- Reload the page.
- Click the first request (your domain).
- Look under Response Headers. You should see the new headers listed.
2. Run a FunSentry Scan
The easiest way is to use FunSentry. Our scanner checks your site against a database of best practices and gives you a simple Pass/Fail grade for each header.
It will tell you:
- ❌ If a header is missing.
- ⚠️ If a header is configured weakly (e.g., HSTS
max-ageis too short). - ✅ If you are fully protected.
Summary Checklist
| Header | Value to Set | Protection |
| HSTS | max-age=31536000 | Man-in-the-Middle Attacks |
| X-Frame-Options | SAMEORIGIN | Clickjacking |
| X-Content-Type | nosniff | Drive-by Downloads / Sniffing |
| Referrer-Policy | strict-origin... | Data Leakage |
| CSP | Custom Policy | XSS (Cross-Site Scripting) |
Don’t leave your browser guessing.
Adding these headers takes less than 10 minutes but significantly improves your security posture. Run a free header check at FunSentry today to see if your site is currently exposed.