ZeroToWP

Security Headers

Quick Definition

Security headers are HTTP response headers that tell browsers how to handle your site content securely. They protect against clickjacking, XSS attacks, MIME sniffing, and protocol downgrade attacks — adding an extra security layer beyond SSL.

Patchstack guide on WordPress security headers — comprehensive overview of HTTP headers that protect your site

What Are Security Headers?

Security headers are special HTTP headers your server sends with every page response. They instruct the visitor's browser on how to handle your content securely — what can be loaded, where it can be embedded, and which protocols to enforce. Think of them as security rules your server sets that the browser must follow.

Without security headers, your site is vulnerable to attacks like clickjacking (embedding your site in a malicious iframe), cross-site scripting (XSS), and protocol downgrade attacks — even if you have an SSL certificate and a firewall.

The Essential Security Headers

HeaderWhat It Does
Strict-Transport-Security (HSTS)Forces browsers to always use HTTPS, even if someone types http://. Prevents protocol downgrade attacks.
X-Frame-OptionsPrevents your site from being loaded inside an iframe on another domain. Blocks clickjacking attacks.
X-Content-Type-OptionsStops browsers from MIME-type sniffing. Forces the browser to trust the declared content type only.
Content-Security-Policy (CSP)Controls which resources can load on your pages. The most powerful security header — prevents XSS and data injection.
Referrer-PolicyControls what referrer information is sent when users click links to other sites.
Permissions-PolicyControls which browser features (camera, microphone, geolocation) your site can access.

How to Add Security Headers in WordPress

  • .htaccess (Apache) — Add headers directly. Example:
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set Strict-Transport-Security "max-age=31536000"
  • Cloudflare — Set security headers in Rules. HSTS added automatically with "Always Use HTTPS."
  • Plugins — "Headers Security Advanced & HSTS WP" adds all headers through a visual interface.
  • Nginx config — Add add_header directives in your server block.

How to Test Your Security Headers

Visit securityheaders.com and enter your domain. Most WordPress sites without configuration score D or F. Adding the essential headers typically brings you to A or A+.

Why It Matters

Security headers are one of the most overlooked security measures on WordPress sites. They cost nothing, require no ongoing maintenance, and protect against entire categories of attacks that SSL and firewalls do not cover. If your site handles any user data — login forms, contact forms, payment information — security headers are not optional.

Sources: Patchstack, WPBeginner, MDN Web Docs

Related Terms

.htaccess.htaccess is a configuration file for Apache web servers that WordPress uses to handle pretty permalinks, redirects, and security rules. It sits in your WordPress root directory.FirewallA firewall monitors and filters incoming traffic to your WordPress site, blocking malicious requests like hacking attempts and brute force attacks before they reach your server.SSL CertificateAn SSL certificate is a digital file that encrypts the connection between your website and visitors, enabling HTTPS (the padlock icon). Most WordPress hosts include free SSL certificates from Let's Encrypt — there is no reason not to have one.

Related Articles

How to Set Up SSL/HTTPS on WordPress (Free & Easy)SSL used to be optional. It's not anymore — Google penalizes sites without it, and Chrome slaps a 'Not Secure' warning on every page. The good news? It's free and takes about 10 minutes. Here's exactly how to set it up, plus how to fix the mixed content issues that trip up almost everyone.How to Set Up Cloudflare CDN for WordPress (Free & Fast)Cloudflare's free CDN tier can cut your WordPress load times in half. I've set it up on every site I manage, and the process takes about 15 minutes. Here's exactly how to do it, step by step.WordPress Security Guide: 12 Steps to Protect Your SiteWordPress doesn't get hacked because it's insecure — it gets hacked because people skip basic precautions. Here are the 12 security steps I follow on every site I build, ranked by importance.
← Back to WordPress Glossary