Really Simple SSL

Manually adding recommended security headers on WordPress

This article will explain how to manually add the recommended security headers to your website. For more advanced security headers or automatically add the security headers, please consider subscribing to Really Simple SSL Pro.  Security headers will add a new layer to SSL (Secure Socket Layer).

The security headers

We will explain the below security headers, and how to add them manually. When you need to know more, or are interested in more advanced security headers, visit this article.

  • HSTS – When this header is set on your domain, a browser will do all requests to your site over HTTPS from then on.
  • Upgrade-Insecure-Requests – This header is an additional method to force requests to your own domain over https://.
  • X-Content-Type-Options – This header will force the browser not to “guess” what kind of data is passed. If the extension is “.doc”, the browser should get a .doc file, not something else (a .exe).
  • X-XSS-Protection – Will stop pages from loading if a reflected cross-site scripting (XSS) attack is detected.
  • Expect-CT, Certificate Transparency – A Certificate Authority (the issuer of the SSL certificate) needs to log the certificates that are issued in a separate log, the CT framework., preventing fraud.
  • No Referrer When Downgrade header – Only sets a referrer when going from the same protocol and not when downgrading (HTTPS -> HTTP).
  • X-Frame-Options – Restricts iframes,embeds and object to your own domain.
  • Permissions-Policy – Allows sites to more tightly restrict which origins can be granted access to features. For more information see our dedicated Permissions-Policy article.

What you will need

Before manually adding these files you will need to access your .htaccess file. This file only available on Apache servers via FTP. 

  • FTP Credentials
  • Text edit program to open .htaccess file
  • Some patience and no worries as everything is reversible.
  • Let’s get started!

Manually adding security headers

Let’s start with the basics, opening, and adding a line to the .htaccess file.

  1. Open your FTP client and visit the root of your website. The root is where wp-admin, wp-content maps are located, including the .htaccess
  2. If you can’t find the .htaccess, make sure you can view all hidden files. For most FTP clients go to “View” and select “Show hidden files” or similar.
  3. Download and open the file in a text editor to see a file resembling the below image. Sometimes you can’t save a file starting with a dot. Save the file without the dot and continue.

Adding a line

  1. We recommend adding a line between comments. In this case we will always add a security header per line, between the same comments. For example
# Really Simple SSL
// This will be a security header..
# End Really Simple SSL
Or as an example:

Adding HSTS

Add the following line between the comments as show above. We will end with an example to compare with. We will also repeat the comments, please don’t repeat comments in the file.
# Really Simple SSL
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS 
# End Really Simple SSL

Adding Upgrade-Insecure-Requests

# Really Simple SSL
Header always set Content-Security-Policy "upgrade-insecure-requests"
# End Really Simple SSL

Adding X-XSS-Protection

# Really Simple SSL
Header always set X-XSS-Protection "0"
# End Really Simple SSL

Adding X-Content-Type-Options

# Really Simple SSL
Header always set X-Content-Type-Options "nosniff"
# End Really Simple SSL

Adding Referrer Policy header

# Really Simple SSL
Header always set Referrer-Policy "strict-origin-when-cross-origin" 
# End Really Simple SSL

Adding X-Frame-Options header

# Really Simple SSL
Header always set X-Frame-Options: "SAMEORIGIN"
# End Really Simple SSL

Adding Permissions-Policy header

# Really Simple SSL
Header always set Permissions-Policy: "" 
# End Really Simple SSL

.htaccess example

In the below image you will find the example of all security combined, between the two comments.

Uploading and Troubleshooting

Before uploading, make sure you have a back-up of your current .htaccess file. As an example:

  1. Upload the new file with filename 1htaccess
  2. Change the current .htaccess to htaccessback-up
  3. Change 1htaccess to .htaccess to activate your new file.
Aert Hulsebos

Aert Hulsebos

Related articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!