- 1
Enforce HTTPS with HSTS
Strict-Transport-Security forces browsers to always use HTTPS, preventing downgrade and cookie-theft attacks. Only enable it once HTTPS works everywhere.
Strict-Transport-Security: max-age=31536000; includeSubDomains - 2
Stop clickjacking and MIME sniffing
X-Frame-Options blocks your site being framed; X-Content-Type-Options stops browsers guessing content types.
X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff - 3
Control referrer and permissions
Referrer-Policy limits what URL data leaks to other sites; Permissions-Policy disables features you don't use.
Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), camera=() - 4
Add a Content-Security-Policy
CSP is the strongest header — it restricts where scripts, styles, and images can load from. Start in report-only mode, then enforce once tuned. Our free Security Headers tool generates a starting config for you.
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Block ?author= scans, restrict the users REST endpoint, and use generic login errors.