The Complete Guide to WordPress Security Headers (2025 Hardening Guide)
Security headers are HTTP response directives that protect your WordPress site from common attacks like XSS, clickjacking, and MIME sniffing. When configured correctly, they can block 70%+ of automated attacks without impacting performance.
This guide covers 7 essential security headers, how to implement them, and advanced configurations for maximum protection.
Our YouTube channel; https://www.youtube.com/@easythemestore
1. Must-Have Security Headers for WordPress
| Header | Purpose | Recommended Value |
|---|---|---|
| Content Security Policy (CSP) | Prevents XSS/data injection | default-src 'self'; script-src 'self' https://trusted.cdn.com |
| X-XSS-Protection | Blocks reflected XSS attacks | 1; mode=block |
| X-Frame-Options | Stops clickjacking | SAMEORIGIN |
| X-Content-Type-Options | Prevents MIME sniffing | nosniff |
| Referrer-Policy | Controls referrer data leakage | strict-origin-when-cross-origin |
| Permissions-Policy | Restricts browser features (camera, geolocation) | geolocation=(), camera=() |
| Strict-Transport-Security (HSTS) | Enforces HTTPS | max-age=31536000; includeSubDomains; preload |
2. How to Implement Security Headers
A. Via .htaccess (Apache)
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=(), camera=()"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>B. Via nginx.conf (Nginx)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com"; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Permissions-Policy "geolocation=(), camera=()"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
C. Via PHP (For Shared Hosting)
// In wp-config.php or theme functions.php function add_security_headers() { header("Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com"); header("X-XSS-Protection: 1; mode=block"); header("X-Frame-Options: SAMEORIGIN"); header("X-Content-Type-Options: nosniff"); header("Referrer-Policy: strict-origin-when-cross-origin"); header("Permissions-Policy: geolocation=(), camera=()"); header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"); } add_action('send_headers', 'add_security_headers');
3. Advanced Configurations
A. Dynamic CSP for WordPress Plugins
Allow only necessary domains (e.g., Google Fonts, reCAPTCHA):
Header set Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-src https://www.google.com/recaptcha/"
B. Report-Only Mode (For Testing CSP)
Header set Content-Security-Policy-Report-Only "default-src 'self'; report-uri https://yourdomain.com/csp-report-endpoint"
C. HSTS Preloading
Submit your domain to the HSTS Preload List for browser-level HTTPS enforcement.
4. Testing & Validation
A. Check Headers Online
B. Chrome DevTools
Open Network tab → Click any request.
Check “Response Headers” section.
C. Common Errors & Fixes
| Issue | Solution |
|---|---|
| CSP breaks Google Analytics | Add https://www.google-analytics.com to script-src |
| Mixed content warnings | Use upgrade-insecure-requests in CSP |
| HSTS too aggressive | Start with max-age=300 (5 mins), then increase |
5. WordPress Plugins for Security Headers
- HTTP Headers (Free) – GUI for adding headers.
- Perfmatters – Lightweight CSP management.
- WP Hardening – One-click HSTS/XSS protection.
Final Checklist
✅ Enable CSP (Block XSS)
✅ Set X-Frame-Options (Stop clickjacking)
✅ Add HSTS (Force HTTPS)
✅ Configure Referrer-Policy (Limit data leaks)
✅ Test with SecurityHeaders.com
🚀 Pro Tip: Combine with Cloudflare WAF for layered protection!