HTTP headers to improve web site security

Description

This plug-in helps setting up the various header instructions included in the HTTP protocol allowing for simple improvement of your website security.

This plug-in provides enabling of the following measures:

  • HSTS (Strict-Transport-Security)
  • CSP (Content-Security-Policy)
  • Clickjacking mitigation (X-Frame-Options in main site)
  • XSS protection (X-XSS-Protection)
  • Disabling content sniffing (X-Content-Type-Options)
  • Referrer policy
  • Expect-CT
  • Feature-Policy
  • Remove PHP version information from the HTTP header
  • Remove WordPress version information from the header

securityheaders.com is a useful resource for evaluating your web site’s security.

As usual, make sure to understand the meaning of these options and to run full tests on your web site as some options may result in some features stop working.

Screenshots

  • General settings screen.
  • Content-Security-Policy directives settings screen.
  • .htaccess contents screen.

Installation

  1. Upload the plugin files to the /wp-content/plugins/http-security directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the “Plugins” screen in WordPress.
  3. Use the Settings -> HTTP Security screen to configure the plugin.

FAQ

How can I test the plug-in runs effectively?

Check the HTTP headers of your web site.

Reviews

February 10, 2021
First of all this plugin didn't update htaccess itself, no new headers were not generated. So I had to do it manually. Secondly there is an error in the suggested htaccess code: # HTTP security settings start Header set Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Header set X-Frame-Options: SAMEORIGIN Header set Referrer-Policy: strict-origin-when-cross-origin Header set X-XSS-Protection: "1; mode=block" Header set X-Content-Type-Options: nosniff # HTTP security settings end It generates 500 error with "Too many arguments to directive" in the logs. The solution is to add "" to the line: Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" I would also suggest to add enclosure: <IfModule mod_headers.c> </IfModule>
February 6, 2021
This plugin solved security issues in the header - works very well!
February 4, 2021
Up to the v. 2.5.6 there is the only neglect: in summer 2020 Feature-Policy header has been renamed to Permissions-Policy. I hope it will be fixed with the next plugin update.
September 26, 2020
I've learned a lot about Content Security Policy in the last 2 days. This is a good plugin for managing HTTP headers for security improvements.
August 30, 2020
This has been a very useful plugin at shoring up HSTS. Make sure you test your site at each step to ensure the very policy you are implementing doesn't block needed content. Once you've got the hang of how it works it is easy to setup and configure.
Read all 18 reviews

Contributors & Developers

“HTTP headers to improve web site security” is open source software. The following people have contributed to this plugin.

Contributors

“HTTP headers to improve web site security” has been translated into 8 locales. Thank you to the translators for their contributions.

Translate “HTTP headers to improve web site security” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

2.5.6

  • Fixed some text escaping

2.5.5

  • Added missing text escaping

2.5.4

  • Added missing text escaping

2.5.3

  • Minor fix

2.5.2

  • Improved options sanitize

2.5.1

  • Minor fix

2.5

  • Tested with WordPress 5.4
  • Added support for Feature-Policy

2.4.2

  • Tested with WordPress 5.0

2.4

  • Added .htaccess instructions

2.3.2

  • Tested with WordPress 4.9

2.3

  • Added support for Expect-CT
  • Cleaned up the interface

2.2

  • Switched to languages packs

2.1

  • Added support for Referrer-Policy directive
  • Added uninstall database cleanup

2.0

  • Added support for all Content-Security-Policy directives
  • Reworked the user interface

1.11

  • Added setting the mode for x-frame-options

1.10.7

  • Removed HSTS header when connected in HTTP

1.10.3

  • Fixed HSTS syntax warning

1.10

  • Added support for Content-Security-Policy

1.9

  • Added critical issues notifications

1.7.5

  • Added max-age option to HSTS setting

1.6

  • Added option to remove WordPress version information from the header

1.5

  • Added option to remove PHP version information from the HTTP header

1.4

  • Included link to submit site preload to browsers
  • Reduced HSTS max-age to one year

1.3

  • Added X-Frame-Options protection.
  • Added X-Content-Type-Options protection.
  • Added HSTS options.

1.1

  • Added XSS protection option.

1.0

  • First stable version providing basic HSTS support.