The Complete Guide to WordPress Security Headers: Lock Down Your Site in 2025
Security headers are HTTP response directives that protect your WordPress site from common attacks like XSS, clickjacking, and MIME sniffing. Properly configured headers can block 70% of web vulnerabilities (OWASP) while improving SEO (Google considers security in rankings).
This guide covers:
✔ 7 essential security headers for WordPress
✔ How to implement them (plugins, .htaccess, NGINX, Cloudflare)
✔ Testing & validation tools
✔ Common pitfalls to avoid
1. Must-Have Security Headers for WordPress
| Header | Protection Against | Example Value |
|---|---|---|
| Content Security Policy (CSP) | XSS, data injection | default-src 'self'; script-src 'self' https://trusted.cdn.com |
| X-XSS-Protection | Cross-site scripting | 1; mode=block |
| X-Frame-Options | Clickjacking | SAMEORIGIN |
| X-Content-Type-Options | MIME sniffing | nosniff |
| Strict-Transport-Security (HSTS) | HTTPS enforcement | max-age=31536000; includeSubDomains; preload |
| Referrer-Policy | Referrer data leaks | strict-origin-when-cross-origin |
| Permissions-Policy | Feature access control | geolocation=(self "https://maps.example.com") |
2. How to Implement Security Headers
Method 1: Using Plugins (Easiest)
- Security Headers (Free, GUI-based)
- Redirection (For advanced regex-based rules)
- Perfmatters (Combine with performance tweaks). Our YouTube channel; https://www.youtube.com/@easythemestore
Method 2: Manual Setup (Advanced)
A. Apache (.htaccess)
<IfModule mod_headers.c> # XSS Protection Header set X-XSS-Protection "1; mode=block" # Clickjacking defense Header set X-Frame-Options "SAMEORIGIN" # MIME sniffing prevention Header set X-Content-Type-Options "nosniff" # HSTS (Force HTTPS) Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Referrer control Header set Referrer-Policy "strict-origin-when-cross-origin" # Feature policy (now Permissions-Policy) Header set Permissions-Policy "geolocation=(self), camera=()" </IfModule>
B. NGINX (server block)
add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(self), camera=()" always;
C. Cloudflare Workers (Edge-level control)
addEventListener('fetch', (event) => { event.respondWith( fetch(event.request).then((response) => { const newHeaders = new Headers(response.headers); newHeaders.set('X-Frame-Options', 'SAMEORIGIN'); newHeaders.set('Content-Security-Policy', "default-src 'self'"); return new Response(response.body, { status: response.status, headers: newHeaders }); }) ); });
3. Content Security Policy (CSP) Deep Dive
CSP is the most powerful (and complex) header. Example for WordPress:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://*.googleapis.com https://*.gstatic.com 'unsafe-inline' 'unsafe-eval';
style-src 'self' https://*.googleapis.com 'unsafe-inline';
img-src 'self' https://*.gravatar.com data:;
font-src 'self' https://*.gstatic.com;
frame-src 'self' https://*.youtube.com;Key Notes:
- Allow Google Fonts/Analytics via
*.gstatic.comand*.googleapis.com - Permit inline scripts/styles (
'unsafe-inline') if plugins require it - Use report-uri to monitor violations:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://example.com/csp-report4. Testing & Validation
- SecurityHeaders.com (Free audit)
- Mozilla Observatory (Comprehensive scoring)
- Chrome DevTools → Network tab (Check response headers)
5. Common Pitfalls
❌ Overly strict CSP breaking plugins (test in Report-Only mode first)
❌ Missing always in NGINX (Headers drop on 404s)
❌ HSTS without HTTPS readiness (Can lock users out)
Pro Tip: Start with X-Frame-Options + XSS Protection, then gradually deploy CSP using Report-Only mode. Security headers are your site’s invisible armor! 🛡️