Add WordPress Security Headers
WordPress Security Headers or HTTP security headers were created to protect applications from common attacks without the need to add or change the code of your applications. Website or web application security has multiple aspects that need focus and work and one good way to start is by adding security headers.
One of the best things about them is that they can help you to make your web applications safer without making you go to the trouble of adding or changing anything in their code. HTTP security headers protect your site against malicious intruders, and they’re an extra layer of security which it is not difficult to setup.
In this post, I will guide you through different types of security headers and help you to add them to your WordPress site to make your site more secure. You can easily enable with WordPress plugin called “http headers” and there will be an option on your WordPress settings.
X Frame Options
This keeps visitors safe from clickjacking attacks, where the content of your website could be loaded inside another site using iframe. You can add X-Frame-Options security header to your WordPress site and set it to “sameorigin” is recommended.
X XSS Protection
The X-XSS-Protection security header lets you configure the XSS protection system that you will find in many modern web-browsers. This could stop persistent XSS attacks from stealing cookies when a visitor who has logged in visits a page that contains an XSS element. You can add an X-XSS-Protection security header to your WordPress site by setting it to “1; mode=block”
X Content Type Options
Setting the X-Content-Type-Options header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. It has a lot of configuration options and potential parameters, but the most common parameter used is “nosniff”.
X Permitted Cross Domain Policies
You can implement this header to instruct the browser how to handle the requests over a cross-domain. By implementing this header, you restrict loading your site’s assets from other domains to avoid resource abuse. Set X-Permitted-Cross-Domain-Policies “none”
Strict Transport Security
HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS.
Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked. Set Strict-Transport-Security “max-age=31536000(1 year); includeSubDomains; preload”.
Content Security Policy
Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. CSP instruct browser to load allowed content to load on the website. All browsers don’t support CSP, so you got to verify before implementing it. You may add Content-Security-Policy as “default-src : self” and if your site be view then you had to disable it.
There are certain privacy and security benefits. However, not all the options are supported by all the browsers, so review your requirements before the implementation. Set Referrer-Policy “no-referrer” (Referrer information will not be sent with the request)
Control browser’s features such as geolocation, fullscreen, speaker, USB, autoplay, speaker, vibrate, microphone, payment, vr, etc. to enable or disable within a web application. And if your site be view then you had to disable it.
A new header still in experimental status is to instruct the browser to validate the connection with web servers for certificate transparency (CT). This project by Google aims to fix some of the flaws in the SSL/TLS certificate system.
Securing a website is challenging, and I hope by implementing the above headers, you add a layer of security. WordPress is one of the most popular CMS platforms worldwide. If you are lucky and your server is managed by us, we can adjust the HTTP security headers of your WordPress website and then you may test it out on https://www.serpworx.com/check-security-headers.