Security headers play a significant role in protecting your WordPress website from common attacks. They help guard against clickjacking, cross-site scripting, content sniffing, and other threats. You’re not alone if you’ve run a security scan and seen warnings about missing security headers. Many WordPress users shouldn’t ignore them.
This guide explains what each missing security header means, why it matters, and how to fix it.
What Are Security Headers?
Security headers are small codes sent from your web server to a user’s browser. They control how the browser behaves when it loads your site and tell the browser to block specific risky actions. Think of them as security rules for how browsers interact with your site.
How to Fix Security Headers
Here are the most critical headers your site should have, and what happens if you don’t.
1- Clickjacking Protection: X-Frame-Options or CSP frame-ancestors
“Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.”
What It Means:
Without this header, your website can be embedded inside other sites using <iframe>. Hackers can create fake versions of your site to trick users- this is called clickjacking.
Fix It:
Add this to your .htaccess file (for Apache):
Header always append X-Frame-Options SAMEORIGIN
Or use Content-Security-Policy:
Header set Content-Security-Policy “frame-ancestors ‘none’;”
Choose one, not both.
2- Content-Type Sniffing Protection: X-Content-Type-Options
“Missing security header to prevent Content Type sniffing.”
What It Means:
Browsers try to guess file types based on content. This behavior can be abused to serve malicious files (e.g., pretending an image is a script).
Fix It:
Add this to .htaccess:
Header set X-Content-Type-Options “nosniff”
This forces browsers to use the declared file type, reducing the risk.
3- Enforce HTTPS: Strict-Transport-Security (HSTS)
“Missing Strict-Transport-Security security header.”
What It Means:
Without this header, users could be tricked into visiting your site’s HTTP (non-secure) version, even if you have an SSL certificate.
Fix It:
Add this line to .htaccess:
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
Note: Make sure your site supports HTTPS correctly before adding this.
4- Content-Security-Policy (CSP)
“Missing Content-Security-Policy directive. We recommend adding the following CSP directives: script-src, object-src, base-uri, frame-src.”
What It Means:
This is one of the most potent headers. It tells the browser what content is allowed to load. You can block inline scripts, stop loading from unknown domains, and more.
Fix It:
You’ll need to customize it for your site. Here’s a basic example:
Header set Content-Security-Policy “default-src ‘self’; script-src ‘self’; object-src ‘none’; base-uri ‘self’; frame-src ‘none’;”
This blocks dangerous content unless it comes from your domain.
How to Add Headers in NGINX (If You Don’t Use Apache)
If your site runs on NGINX, you can add headers in your server config:
- add_header X-Frame-Options “SAMEORIGIN”;
- add_header X-Content-Type-Options “nosniff”;
- add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;
- add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’; object-src ‘none’; base-uri ‘self’; frame-src ‘none’;”;
Restart NGINX after changes.
WordPress Plugins to Add Security Headers
If you don’t want to touch code, use a plugin to manage headers.
Recommended Plugins:
- HTTP Headers
- Security Headers by Petr Hejl
- Redirection
Best Practices
- Test your site after adding headers (use SecurityHeaders.com).
- Don’t block content you need (especially scripts from CDNs).
- Always back up your .htaccess or NGINX config before editing.
- Use HTTPS across your whole site
Final Thoughts
Security headers are small but mighty. They don’t slow down your site, and they protect your visitors. Adding them can stop basic attacks before they reach your code. If your scan says these headers are missing, take action today. Use the examples above, or ask your developer or hosting provider to help.
Keep your WordPress site safe, innovative, and secure.