Adding Security Headers to a WordPress Blog

After reviewing the default wordpress headers that are sent in a browser they are not secure enough for my liking.

To modify wordpress that you host yourself, served by an apache web server, logon to your server and navigate to the .htaccess file in your wordpress directory. If you cant see one (they are hidden files), maker sure to enable view hidden files in WINSCP or whatever software your using for the file system of your server. I also force my site from http to https for good measure (but make sure that you can already access your site on https before doing this lol)

add the following lines into your .htaccess file at the end –

———————————————————————————————–

#ADD SECURITY HEADERS TO ALL PAGES

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection “1; mode=block”

Header set X-Content-Type-Options nosniff

Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

———————————————————————————————–

Now you can check how secure your blog is now, by visiting this website to check it – Security Headers Checker and enter your public facing website url.

As you can see from the below image, guypearce.co.uk is now A rated and much more secure. Have fun securing your own wordpress blog (or any other website running on Apache for that matter, all websites should have these options as a matter of course!!!!)

securityheaders 790x800 - Adding Security Headers to a Wordpress Blog

If you notice in the image above, you will see there are two other security headers also – Content-Security-Policy and Feature-Policy.

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

You can also add those policies in the same manner as the code I shared above for your .htaccess file. This would make your site have even better security policies coming from its pages.

Have fun with security.