What are WordPress Security Headers and How to Add Them to Your Website – [Scanner Included]

Configuring recommended security headers for WordPress adds to your site’s security. Today we are going to discuss everything about security headers for WordPress. And why you should be concerned with it. Typically, an HTTP security header renders additional information (such as content type, content meta, cache status, etc.) attached with a web page, whenever a browser requests the page from the server. There are several types of HTTP headers. The one I just talked about is called “HTTP Response Header“.

The following picture will help you understand better how HTTP headers work.

Conclusively, whenever an HTTP request is made, the result comprises two parts:

1. Request message header
2. Request message body

The request message headers are further divided into four header categories. Which we are going to learn today. We will then be taking on the subject of recommended security headers for WordPress that you must not skip.

Also mentioned are the methods to check if your server has these headers.

What are Security Headers in WordPress?

Security headers are basically headers that protect the requested & the requesting browser from executing malicious code. That is, it protects both, you and your site’s user in case the web app is injected with malicious code on the page.

In WordPress Security headers are served directly by the web server i.e. Apache, Microsoft IIS, etc. So, for example, take a scenario where a page has been injected with malicious iframe. Now, when the server serves that malicious web page to a user, it serves it along with some security headers. If the right kind of security headers are present (X-Frame-Options), they will stop the user’s browser from showing that malicious iframe.

Are You Using Recommended Security Headers?

1. Check with Chrome DevTools

To check if your recommended security headers for WordPress are present, Google Chrome’s dev tools can be used. To do so, implement the following steps:

#1: Right-click on the web page and select the Inspect option.

#2: Click on the Network panel and reload the page by pressing Ctrl+R.

#3: So, finally in the response header see what all recommended security headers for WordPress are available.

The same can be done using other browsers too.

2. Check with Astra’s Security Scanner

If you wish to avoid manually inspecting security headers, there is a way to automate the process. So, to automatically scan your website for recommended security headers in WordPress, use the free tool provided by Astra. To do so, implement the following steps:

#1: Visit this link and enter your domain name in the Scan option.

#2: Now when prompted, select the Run Security Audit option.

#3: Wait for the scan to finish and then click on View Results.

#4: The final results will show all the recommended WordPress security headers that your website is missing.

Along with checking security headers, this tool can perform 40+ other security tests as well. These tests include:

• Google Safe Browsing
• Content Security Policy
• Header Security
• Cookie Security
• CORS Tests
• HTTPS Security

You can also use this tool to scan your site for Malware and SEO spam.

Importance of Recommended Security Headers in WordPress

Like we said, using the recommended security headers in your WordPress adds a layer of security to your website. Let’s understand how:

• They can act as the first layer of security for your website.
• Protects the users of your website from malicious attacks like XSS, Clickjacking, etc even if the website has been compromised.
• The HSTS security header can also help with the website SEO.
• This is a security practice that is easy to implement.
• Implementing Security headers does not require additional changes in your website code.

How to add Recommended Security Headers in WordPress and their Types

Some major recommended security headers for WordPress are as follows:

1. HTTP Strict Transport Security (HSTS)

This security header ensures that all the data is exchanged only using the HTTPS protocol. It works by directing the browsers to communicate over HTTPS instead of HTTP.

Furthermore, to implement this recommended security header in WordPress site, follow these steps:

For Nginx: Open the Nginx.conf file. Add the following code to it and save:

add_header Strict-Transport-Security max-age=31536000;

For Apache: Open the .htaccess file. Add the following code to it and save:

<VirtualHost 192.168.1.1:443>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
</VirtualHost>

2. X-Frame-Options

Clickjacking is a type of malicious attack where the user is tricked into clicking on a transparent iframe that then leads to certain actions on the site. The X-frame security header, therefore, works by blocking that transparent iframe.

Add this recommended security header in your WordPress site as follows:

For Nginx: Open the Nginx.conf file. Add the following code to it and save:

add_header X-Frame-Options "SAMEORIGIN" always;

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule mod_headers.c>
	Header always append X-Frame-Options SAMEORIGIN
</IfModule>

Unable to figure out the correct recommended security headers for WordPress? Secure your WordPress site now!

3. X-XSS-Protection

Cross-site scripting is an attack in which an attacker tricks you into executing some malicious javascript code in your browser. This is one of the recommended WordPress security headers that work by blocking the malicious code from stealing your session cookie. It uses various filters to determine if the code is malicious.

You can add X-XSS protection in your WordPress site by following these steps:

For Nginx: Open the Nginx.conf file. Add the following code to it and save:

add_header X-Xss-Protection "1; mode=block" always;

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
</IfModule>

4. X-Content-Type-Options

Often, it is quite possible that the attacker may have uploaded a text file with a malicious HTML code. It may seem like a harmless text file but your browser will automatically detect it as HTML and run the code. This security header, therefore, works by stopping your browser from interpreting the file anything other than the declared content type.

To add this recommended security header in WordPress site, do as follows:

For Nginx: Open the Nginx.conf file. Add the following code to it and save:

add_header X-Content-Type-Options "nosniff" always;

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
</IfModule>

5. Referrer-Policy

A Referrer header contains the info regarding the previous web pages visited by a user navigate to the current link. This can be misused by an attacker or third party to track the user. To protect the privacy of users, this is one of the recommended WordPress Security headers that can come in handy.

Add this recommended security header in WordPress site as:

For Nginx: Open the Nginx.conf file. Add the following code to it and save:

add_header Referrer-Policy "no-referrer";

For Apache: Open the .htaccess file. Add the following code to it and save:

<IfModule headers_module>
        RequestHeader set X-HTTPS 1
        Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

6. Content Security Policy

Content security policy security header basically tells your browser to run the resources only from specific domains. It is a good practice to implement one of these recommended security headers in WordPress as it can block the execution of malicious code from other domains.

Optimize your site for content security policy by following this:

For Nginx: Open the Nginx.conf file. Add the following code to it and save:

add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";

For Apache: Open the .htaccess file. Add the following code to it and save:

Header set Content-Security-Policy default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

Moreover, if you wish to allow other domains like Google Analytics to run javascript on your site, add the URL after the self option in the following manner:

script-src 'self' 'https://www.google-analytics.com'

To Conclude…

Missing security headers is a major security flaw. Scan your website right now to check for the missing headers. Given the benefits attached to implementing security headers on your website, it needs no more convincing. The article mentions only the most crucial security headers, it in no way implies there aren’t more. There are other security headers like – Feature Policy, Expect-CT, etc you can configure as per your needs.

Have any questions to ask about security headers? Comment below and someone from our team will get in touch.

Liked this blog? Subscribe & get notified whenever we post next.

Share this...

Facebook

Pinterest

Twitter

Linkedin