medium risk

How to Add Security Headers to WordPress

HTTP security headers tell browsers how to behave — enforcing HTTPS, blocking clickjacking, and limiting scripts. They're one of the fastest, lowest-risk hardening wins for any WordPress site, and search-facing scanners check for them.

  1. 1

    Enforce HTTPS with HSTS

    Strict-Transport-Security forces browsers to always use HTTPS, preventing downgrade and cookie-theft attacks. Only enable it once HTTPS works everywhere.

    Strict-Transport-Security: max-age=31536000; includeSubDomains
  2. 2

    Stop clickjacking and MIME sniffing

    X-Frame-Options blocks your site being framed; X-Content-Type-Options stops browsers guessing content types.

    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
  3. 3

    Control referrer and permissions

    Referrer-Policy limits what URL data leaks to other sites; Permissions-Policy disables features you don't use.

    Referrer-Policy: strict-origin-when-cross-origin
    Permissions-Policy: geolocation=(), camera=()
  4. 4

    Add a Content-Security-Policy

    CSP is the strongest header — it restricts where scripts, styles, and images can load from. Start in report-only mode, then enforce once tuned. Our free Security Headers tool generates a starting config for you.

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides