Cybrove
Platform Guide

How to Add Security Headers to WordPress

Add CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to WordPress. Copy-paste configuration included.

The 6 Essential Security Headers

Content-Security-Policy (CSP)

Controls which sources of scripts, styles, and resources are allowed. Prevents XSS by blocking inline scripts and unauthorized external scripts.

Strict-Transport-Security (HSTS)

Forces browsers to always use HTTPS, preventing protocol downgrade attacks and cookie hijacking over HTTP.

X-Frame-Options

Prevents your page from being loaded in an iframe, blocking clickjacking attacks.

X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type, stopping attacks that rely on content type confusion.

Referrer-Policy

Controls how much referrer information is sent with requests, protecting user privacy and preventing information leakage.

Permissions-Policy

Controls which browser features (camera, microphone, geolocation) your page can use, reducing attack surface.

WordPress Configuration

Add this to .htaccess file in your WordPress root directory (for Apache). For Nginx, add to server block in nginx.conf.:

# .htaccess (add to the top of your WordPress .htaccess file)
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Header always set X-XSS-Protection "1; mode=block"
    # CSP - adjust based on your plugins and theme
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;"
</IfModule>

WordPress uses SAMEORIGIN for X-Frame-Options (not DENY) because some admin features use iframes. CSP is challenging with WordPress due to inline scripts from plugins — start permissive and tighten. Alternatively, use the 'Headers Security Advanced & HSTS WP' plugin.

How to Test Your Headers

curl -I https://yourwordpresssite.com

Or use Cybrove's free security check to automatically validate all security headers and get specific fix recommendations.

Complete guide to fixing missing security headers

In-depth blog post covering all headers across all platforms

Frequently Asked Questions

How do I add security headers to WordPress?

Add security headers to WordPress by modifying .htaccess file in your WordPress root directory (for Apache). For Nginx, add to server block in nginx.conf.. The essential headers are CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. See the configuration example above.

How do I test if my WordPress security headers are working?

Run: curl -I https://yourwordpresssite.com and check the response headers. Or use Cybrove's free security check at cybrove.com/scan which automatically validates all security headers and reports which are missing.

Which security headers are most important for WordPress?

CSP (prevents XSS), HSTS (forces HTTPS), and X-Frame-Options (prevents clickjacking) are the most critical. X-Content-Type-Options and Referrer-Policy provide additional protection with minimal configuration effort.

Check if your WordPress headers are configured correctly

Free security check validates all 6 headers plus SSL, DNS, and email authentication.

Free Security Check