WordPress Security Headers: Essential HTTP Headers Guide

HTTP security headers tell browsers how to handle your content securely. Properly configured headers protect visitors from various client-side attacks without requiring any changes to your content.

Essential Security Headers

X-Frame-Options

Purpose: Prevents clickjacking attacks

How it works: Controls whether your site can be embedded in frames on other sites.

Recommended value: SAMEORIGIN

Allows your own frames but blocks others from framing your content.

X-Content-Type-Options

Purpose: Prevents MIME type sniffing

How it works: Forces browsers to use declared content type.

Recommended value: nosniff

Prevents browsers from interpreting files as different types.

X-XSS-Protection

Purpose: Enables browser XSS filter

How it works: Activates built-in browser XSS protection.

Recommended value: 1; mode=block

Blocks page when XSS is detected rather than sanitizing.

Referrer-Policy

Purpose: Controls referrer information

How it works: Specifies what referrer data to send.

Recommended value: strict-origin-when-cross-origin

Sends full referrer to same origin, origin only to other sites.

Strict-Transport-Security (HSTS)

Purpose: Forces HTTPS connections

How it works: Tells browsers to only connect via HTTPS.

Recommended value: max-age=31536000; includeSubDomains

Enforces HTTPS for one year including subdomains.

Content-Security-Policy (CSP)

Purpose: Controls resource loading

How it works: Specifies allowed sources for scripts, styles, etc.

Note: Complex to implement for WordPress due to inline scripts.

Permissions-Policy

Purpose: Controls browser features

How it works: Enables/disables features like geolocation, camera, etc.

Implementing Security Headers

Method 1: WP Folder Shield (Recommended)

1. Navigate to WP Folder Shield > Settings
2. Enable "Security Headers"
3. Configure header values
4. Save changes

Optimal headers configured automatically.

Method 2: .htaccess (Apache)

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

Method 3: nginx Configuration

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Testing Your Headers

Online Tools

• securityheaders.com
• Mozilla Observatory
• Google Lighthouse

Browser Developer Tools

Network tab > Select request > Headers tab shows response headers.

Common Issues

CSP Breaking Site

Content-Security-Policy can break WordPress if not configured carefully. Start with report-only mode.

Embedded Content

X-Frame-Options DENY may break legitimate embeds. Use SAMEORIGIN instead.

Get WP Folder Shield for one-click security header implementation with WordPress-optimized defaults.