Protect HTTP headers in WordPress

Below we will see how you can insure (as much as possible) του WordPress που χρησιμοποιείτε. Τα ασφαλή HTTP headers θα σας βοηθήσουν να δυναμώσετε την θωράκιση του WordPress σε επιθέσεις κλείνοντας μερικά τρωτά .

There are a total of 6 HTTP headers that you can apply to the web by adding the following on functions.php located in the themes folder.


Content Security Policy or (CSP)

The CSP policy contributes to security from attacks and uses whitelists for allowed content sources such as scrips, css, and images. A secure Content Security Policy can prevent the browser from loading malicious scripts and other components.

Unfortunately, there is no code that fits all web pages. Before you create your own CSP, you need to evaluate the resources you really need to load. Of course to create it your own policy should be readif you want a policy based on your own requirements.

Your CSP can be added to the functions.php file.

You can try adding the following line:

header ('Content-Security-Policy: default-src \' self \ 'unsafe-inline \' \ 'unsafe-eval \' https: data: ');

What is he doing; the above CSP allows all types of files from your own domain, "self." "Unsafe-inline" allows all your (inline) css & scripts and "unsafe-eval" says any unsafe dynamic code like JS is allowed. The "https" and "data" tags allow resources to be uploaded via HTTPS only. If you are not using HTTPS leave HTTP blank.


This header helps prevent Clickjacking by indicating to a browser that it can not load the page into a frame or iframe.

Add the following policy to your functions.php like this:

header ('X-Frame-Options: SAMEORIGIN');

X-XSS-Protection and X-Content-Type-Options

X-XSS-Protection helps protect against attacks -site scripting (XSS) επιθέσεις και η X-Content-Type-Options δίνει εντολή στον IE μαν μην κάνει in mime types (mime types). This header is needed to prevent attacks related to mime-sniffing.

Add again to your functions.php:

header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');

HTTP Strict Transport Security (HSTS)

HSTS is a way for the server to tell the browser that they should only communicate with the server via HTTPS. If you are not using HTTPS, skip the step below.

Add the following code to functions.php:

header ('Strict-Transport-Security: max-age = 31536000; includeSubdomains; preload');

Add Cookie with HTTPOnly and Secure Flag to WordPress

This command tells the browser to trust the cookie only from the server and that the cookie is accessible through secure SSL channels.

Add this to your functions.php file:

@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

All the above together:

header('Content-Security-Policy: default-src \'self\' \'unsafe-inline\' \'unsafe-eval\' https: data:');
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);


Another way to secure HTTP headers is through the .htaccess file. Below is the code you can add to the .htaccess file in your WordPress:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:";

Alternatively, you can use various plugins that are available by searching for "Security Headers" in WordPress repositories.

You can try the HTTP security headers you added from the page The Best Technology Site in Greecefgns

Get the best viral stories straight into your inbox!

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).