This plugin helps setting up the various header instructions included in the HTTP protocol allowing for easy improvement of your website's security.
This plugin provides enabling of the following measures:
- HSTS (Strict-Transport-Security)
- PKP (Public-Key-Pinning)
- CSP (Content-Security-Policy)
- Clickjacking mitigation (X-Frame-Options in main site)
- XSS protection (X-XSS-Protection)
- Disable content sniffing (X-Content-Type-Options)
- Referrer policy
- Remove PHP version information from HTTP header
- Remove WordPress version information from HTML header
securityheaders.io is a useful resource for evaluating your website's security.
As usual, make sure to understand the meaning of these options and to run full tests on your website as some options may result in some features stop working.
- Unpack the plugin archive to the
/wp-content/plugins/folder, or manually upload its content to the
- Activate the plugin through the "Plugins" screen in WordPress.
- Use "Settings --> HTTP Security" to configure the plugin.
The translations available for this plugin are a complete mess. I recommend you stick with the built-in English translation or create your own translation files for this plugin.
Frequently Asked Questions
How can I test the plugin runs effectively?
Check the HTTP headers of your website using the developer tools of your browser. Keep in mind that it depends on your browser to respect the sent HTTP headers. Old browsers do not understand those headers and simply ignore them. That's nothing this plugin can magically fix.
Find the original plugin in the WordPress plugin directory.
Thanks and some personal notes
I would like to thank Carl Conrad for the idea of the plugin. To my mind this thing is a valuable addition to the security of WordPress and should be part of the basic setup.
This plugin is loosely based on his version 2.4.1. In fact I had to rewrite most of the functions in order to make them work the way I want or make them work at all. For example I wanted an easy way to be able to add new options without the need to modify any HTML and/or CSS code. Also Public Key Pinning features were missing and the overall performance was not great. That has all been fixed, so enjoy this version and fork it if you like.