Category: WordPress Security
Configuring HSTS (HTTP Strict Transport Security)
One of the best-known policies is the HTTP Strict Transport Security. Below, we will give a quick overview of HSTS configuration and what is recommended. If you want to know what HSTS is or why you need it: What is HSTS? Why do you need HSTS? Configuring HTTP Strict Transport Security The most effective way to use HSTS is by preloading the strict policy directly in supported browsers. If you do not preload your website, the browser will only remember
Configuring the Cross-Origin Policies
The different Cross-Origin headers supported by Really Simple SSL are: CORP: Cross-Origin Resource Policy (same-site | same-origin | cross-origin) COEP: Cross-Origin Embedder Policy (unsafe-none | require-corp) COOP: Cross-Origin Opener Policy (unsafe-none| same-origin-allow-popups | same-origin) Practical usage in WordPress A quick decision tree for these headers is as follows: CORP: Your site is used as a resource on other websites => yes, third party websites=> CORP set to cross-origin. yes, but only your own subdomains=> CORP set to same-site no=>CORP set
About Hardening Features
The newest addition to Really Simple SSL is hardening features. These features will tackle the known and lesser-known weaknesses when running a WordPress website. Hardening features are focused on minimizing risk by removing points of attack. Mostly in disabling features that are not used or limiting access to those who use them. For more information on Hardening Features for WordPress, please read this article. Hardening Features Most of these hardening features are self-explanatory, but we will pick some to explain
About the Security Scan
In the last five years, Really Simple SSL has positioned itself as one of the leading authorities on Security Headers. We gave talks about the importance of Security Headers on WordCamp Europe, and have always aspired to give everyone in the (WordPress) ecosystem an easy way to configure Security Headers as it’s a fundamental part of securing the web for everyone. We have relied on securityheaders.com for a while to quickly access a list of available Security Headers on any given
How to set Security Headers on Apache and NGINX
Below we will discuss the challenges and solutions of setting security headers in a WordPress environment. Methods for setting http security headers There are different ways to set security headers on both Apache and Nginx. Usually, security headers on Apache are set in the .htaccess file in the root of your WordPress installation, for Nginx servers they are usually set in the nginx.conf file. Some servers combine Nginx and Apache so they can be set in either of those files.