HTTP security headers provide an extra layer of protection for your WordPress site. They help block malicious activity, enforce secure connections, and improve overall site security. On ruachost.com, you can add these headers easily using a plugin or by editing configuration files.
Why Add Security Headers?
-
Prevents common attacks such as XSS (Cross‑Site Scripting) and clickjacking.
-
Enforces HTTPS connections for safer browsing.
-
Improves compliance with modern web security standards.
-
Protects sensitive user data and enhances trust.
Method 1: Using the HTTP Headers Plugin (Recommended)
-
Log in to WordPress with an administrator account.
-
In the dashboard, go to Plugins → Add New.
-
Search for HTTP Headers.
-
Click Install Now, then Activate.
-
In the dashboard, go to Settings → HTTP Headers.
-
Configure the following headers:
-
Strict-Transport-Security (HSTS) → Forces HTTPS connections.
-
X-Frame-Options → Prevents clickjacking attacks.
-
X-Content-Type-Options → Blocks MIME type sniffing.
-
Referrer-Policy → Controls how much referrer information is shared.
-
Content-Security-Policy (CSP) → Restricts sources of scripts, styles, and media.
-
-
Save changes → The headers will be applied site‑wide.
✅ Your WordPress site will now send secure HTTP headers with every response.
Method 2: Editing .htaccess (Advanced)
If you prefer manual configuration:
-
Connect to your site via FTP or File Manager.
-
Open the
.htaccessfile in the root directory. -
Add lines such as:
<IfModule mod_headers.c> Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header set Referrer-Policy "no-referrer-when-downgrade" </IfModule> -
Save changes → Test your site to ensure functionality is not broken.
Important Notes
-
Always back up your site before editing
.htaccess. -
Misconfigured headers may block legitimate scripts or styles.
-
Use tools like securityheaders.com or Google Lighthouse to test your configuration.
