0
0
WordpressHow-ToBeginner · 4 min read

How to Use Security Headers in WordPress for Better Protection

To use security headers in WordPress, add them via your web server configuration or by using a plugin that sets headers like Content-Security-Policy and X-Frame-Options. These headers help protect your site from attacks by controlling browser behavior.
📐

Syntax

Security headers are HTTP headers sent by your server to the browser to improve security. Common headers include:

  • Content-Security-Policy: Controls which resources the browser can load.
  • X-Frame-Options: Prevents clickjacking by controlling if your site can be framed.
  • Strict-Transport-Security: Forces browsers to use HTTPS.
  • X-Content-Type-Options: Stops MIME type sniffing.

You can add these headers in your server config or WordPress code.

apache
# Example of adding security headers in Apache server config
Header set Content-Security-Policy "default-src 'self';"
Header set X-Frame-Options "SAMEORIGIN"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Content-Type-Options "nosniff"
💻

Example

This example shows how to add security headers in WordPress using the send_headers action hook in your theme's functions.php file. It sets common security headers to protect your site.

php
<?php
add_action('send_headers', function() {
    header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';");
    header('X-Frame-Options: SAMEORIGIN');
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
    header('X-Content-Type-Options: nosniff');
});
Output
When visiting your WordPress site, the browser receives the security headers to enforce policies like blocking external scripts and preventing framing.
⚠️

Common Pitfalls

Common mistakes when adding security headers in WordPress include:

  • Adding headers in the wrong place, causing them not to send.
  • Using overly strict Content-Security-Policy that breaks site functionality.
  • Forgetting to test headers in different browsers.
  • Not using HTTPS, which makes Strict-Transport-Security ineffective.

Always test your site after adding headers to avoid blocking needed resources.

php
<?php
// Wrong: Adding headers after output starts
// This will cause PHP warning and headers won't be sent
print('Hello');
header('X-Frame-Options: DENY');

// Right: Add headers early using send_headers hook
add_action('send_headers', function() {
    header('X-Frame-Options: DENY');
});
📊

Quick Reference

HeaderPurposeExample Value
Content-Security-PolicyControls allowed content sourcesdefault-src 'self'; script-src 'self'
X-Frame-OptionsPrevents clickjackingSAMEORIGIN
Strict-Transport-SecurityEnforces HTTPSmax-age=31536000; includeSubDomains
X-Content-Type-OptionsStops MIME sniffingnosniff
Referrer-PolicyControls referrer info sentno-referrer-when-downgrade

Key Takeaways

Add security headers early using WordPress hooks like send_headers.
Use Content-Security-Policy carefully to avoid breaking site features.
Test headers in multiple browsers to ensure compatibility.
Use HTTPS to enable Strict-Transport-Security effectively.
Plugins can simplify adding security headers if you prefer not to edit code.

Related by keyword

WordPress.com vs WordPress.org: Key Differences and When to Use EachGetting StartedHow to Use Schema Markup in WordPress for Better SEOSEOHow to Use Yoast SEO Plugin in WordPress for Better SEOSEOHow to Optimize WordPress Database for Better PerformancePerformanceHow to Install WordPress: Step-by-Step Guide for BeginnersGetting Started

Up next

How to Use Settings API in WordPress: Simple GuideHow to Use update_option in WordPress: Syntax and ExamplesHow to Create Sitemap in WordPress EasilyHow to Optimize Images for SEO in WordPress: Best Practices

More in Security

How to Backup WordPress Site: Easy Steps to Secure Your DataHow to Change wp-admin URL in WordPress SecurelyHow to Disable XML-RPC in WordPress Quickly and SafelyHow to Fix a Hacked WordPress Site Quickly and Safely