Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Adding HTTP Security Headers to WordPress

There are a couple of sites out there which will take a look at the configuration of your site and give pointers as to where you can tighten up your configuration, pointing out if you’re missing headers such as Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

If you run a WordPress Blog there’s a quick way of adding and removing headers – you can do it within the WordPress Admin interface, with the Appearance Editor:

A screenshot of the WordPress menu showing the edit Appearance and Editor option highlighted.

Under this menu find “functions.php”:

Screenshot at 2016-02-18 10:09:44

A screenshot showing the Edit Themes option open in the WordPress menu.

 

You can append rules about HTTP Headers to the end of this file. It’s a PHP file so you’ve got flexibility too! Here’s some example code to add a custom HTTP Header:

if (!empty($_SERVER['HTTPS'])) {
  function add_hsts_header($headers) {
    $headers['strict-transport-security'] = 'max-age=31536000; includeSubDomains';
    return $headers;
  }

add_filter('wp_headers', 'add_hsts_header');
}

If you’d like to remove a header, you can do that too!

header_remove("X-Powered-By");

Now jump over to https://securityheaders.io/ and take a look at which headers you’re missing!

 

 

A screenshot of SecurityHeaders.io showing GracefulSecurity scoring a perfect A+ score.