Security Headers for WordPress: Complete Implementation Guide

What Are Security Headers?

HTTP security headers are directives sent from your web server to browsers that instruct how to handle your website's content. They provide an additional layer of security by controlling browser behavior and protecting against various attack vectors.

While security headers can't prevent all attacks, they significantly reduce the risk of cross-site scripting (XSS), clickjacking, and other client-side vulnerabilities.

Essential Security Headers

Content-Security-Policy (CSP)

CSP is one of the most powerful security headers. It controls which resources (scripts, styles, images, etc.) browsers are allowed to load for your page.

A basic CSP example:

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'

CSP prevents XSS attacks by blocking inline scripts and limiting where resources can load from.

X-Frame-Options

This header prevents your site from being embedded in iframes on other domains, protecting against clickjacking attacks.

Options:

• DENY - Prevents all framing
• SAMEORIGIN - Allows framing only from your own domain
• ALLOW-FROM uri - Allows framing from specified URI (deprecated in modern browsers)

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared content type, reducing the risk of drive-by downloads.

X-Content-Type-Options: nosniff

X-XSS-Protection

Enables the browser's built-in XSS filter. While modern browsers have deprecated this in favor of CSP, it still provides protection for older browsers.

X-XSS-Protection: 1; mode=block

Strict-Transport-Security (HSTS)

Forces browsers to only connect to your site over HTTPS, even if a user types http://.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Warning: Only implement HSTS after confirming HTTPS works perfectly on your site.

Referrer-Policy

Controls how much referrer information is sent when navigating away from your site.

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy (formerly Feature-Policy)

Controls which browser features and APIs can be used on your site.

Permissions-Policy: geolocation=(), microphone=(), camera=()

Implementing Security Headers

Method 1: Apache .htaccess

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

Method 2: Nginx Configuration

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Method 3: WordPress Plugin

Security plugins like WP Folder Shield can add security headers without server configuration. This is the easiest method for most WordPress users.

Method 4: PHP Functions

Add headers through your theme or plugin:

function add_security_headers() {
    header('X-Frame-Options: SAMEORIGIN');
    header('X-Content-Type-Options: nosniff');
    header('X-XSS-Protection: 1; mode=block');
}
add_action('send_headers', 'add_security_headers');

Testing Your Security Headers

Online Testing Tools

• securityheaders.com - Comprehensive header analysis
• Observatory by Mozilla - Detailed security assessment
• Google's CSP Evaluator - Specific to CSP policies

Browser Developer Tools

Check the Network tab in your browser's developer tools to view response headers for any request.

Content Security Policy Deep Dive

CSP Directives

• default-src - Fallback for other directives
• script-src - Valid sources for JavaScript
• style-src - Valid sources for CSS
• img-src - Valid sources for images
• font-src - Valid sources for fonts
• connect-src - Valid targets for fetch, XMLHttpRequest
• frame-src - Valid sources for iframes

CSP and WordPress Challenges

WordPress and many plugins use inline scripts and styles, which CSP blocks by default. You may need to:

• Use 'unsafe-inline' (reduces protection)
• Use nonces or hashes for inline scripts
• Use plugins designed for CSP compatibility

Report-Only Mode

Test CSP without breaking your site:

Content-Security-Policy-Report-Only: [your policy]

This reports violations without enforcing the policy.

Common Issues and Solutions

Breaking Third-Party Services

Strict CSP may block Google Analytics, ads, or other services. Whitelist trusted domains in your policy.

WordPress Admin Compatibility

The WordPress admin uses many inline scripts. Consider applying stricter headers only to frontend pages.

Conclusion

Security headers are a powerful, low-cost way to improve your WordPress security. Start with the basic headers, test thoroughly, and gradually implement stricter policies as you understand their impact.