The Importance of HTTP Security Headers in WordPress
In today’s digital age, the security of your small business website is paramount. With cyber threats on the rise, implementing robust security measures is not just a luxury but a necessity. One such measure is the use of HTTP security headers for WordPress. In this blog post, we’ll delve deep into the world of HTTP security headers, their significance, and how you can integrate them into your WordPress website to ensure maximum protection.
62% of the top 100 fastest growing companies in the US (Inc. 5000) use WordPress
Over 500 new sites are created daily using the free version of WordPress.org
Seventy million new blog posts pop up every month
There are currently over 455 million sites that use WordPress
WordPress accounts for almost half of the internet! That’s why adding HTTP Security Headers for WordPress is so important for protecting your website.
Why You Should Prioritize HTTP Security Headers for your WordPress website
The Threat Landscape
WordPress is a leading Content Management System and therefore a magnet for attackers. With billions of exploitation attempts recorded annually, small businesses cannot afford to be complacent. Cyber attacks can lead to data breaches, loss of customer trust, and significant financial setbacks.
The Role of HTTP Security Headers for WordPress
HTTP security headers are your website’s silent guardians. They provide specific directives to browsers on how to behave when interacting with your site, ensuring that potential vulnerabilities are not exploited. These headers act as barriers, preventing certain types of cyber attacks that can compromise your website’s integrity and the data it holds.
For small businesses, this means:
Protecting Customer Data: Your customers trust you with their data. Breaches can lead to loss of trust, legal repercussions, and financial losses
Maintaining Brand Reputation: A secure website ensures that your brand’s reputation remains untarnished. A single security incident can lead to negative publicity and loss of business
Ensuring Business Continuity: Cyber attacks can disrupt your online operations. By implementing security headers, you reduce the risk of unplanned down times
Implementing HTTP Security Headers for WordPress with the Redirection Plugin
While there are multiple ways to add security headers to your site, the Redirection Plugin offers a straightforward method, especially for those not well-versed in coding. Here’s a detailed look at the five key HTTP security headers and their significance:
Purpose: Protects against clickjacking attacks
How It Works: It dictates how content can be embedded into other sites. By default, it prevents your site’s content from being displayed in frames on other websites
Business Implication: Prevents malicious actors from tricking your users into clicking something different from what the user perceives, protecting both you and your customers from potential fraud
Purpose: Stops pages from loading when a XSS (Cross-Site Scripting) attack is detected
How It Works: It identifies and blocks malicious scripts injected into web pages
Business Implication: Protects your website from being used as a medium to spread malware or steal user data
Purpose: Defence against content sniffing attacks
How It Works: Ensures browsers render files as declared and don’t guess file types, preventing malicious file executions
Business Implication: Stops attackers from disguising malicious files as safe ones, ensuring the integrity of your website’s content
Purpose: Shields against various common attacks, like Cross-Site Scripting (XSS) and data injection attacks
How It Works: Dictates which external resources can be loaded and executed by browsers
Business Implication: Ensures that only trusted sources of content are loaded, keeping your website free from malicious injections
Purpose: Controls the amount of referral data sent when a user clicks on a link to another site
How It Works: Limits the information about your site that’s shared with other websites
Business Implication: Protects user privacy and sensitive data from being inadvertently shared
How to Set Up the Redirection Plugin
Redirection is a plugin that manages how hyperlinks are handled within your site. It comes with various preset HTTP security headers for WordPress that you can add with a single click.
Before you do anything, create a backup of your website. That way you can undo if anything goes wrong.
Install and activate the plugin, then go to:
Tools -> Redirection -> Start Setup
The first step to using the Redirection plugin on your WordPress site is to install the plugin and Start Setup
Once you get to the next page, specify whether Redirection should automatically create a redirect if you change a permalink of a post or page. This is helpful at avoiding 404 errors. Click through the Basic Setup until you complete the recommended tasks.
The Redirection plugin has a great Basic Setup wizard to help you get started easily
Now that you have Redirection setup, go to:
Tools -> Redirection -> Site
Scroll down to the HTTP Headers section and click on the Add Header dropdown. Select Add Security Presets.
Using the default Security Presets is the 1-click way to get HTTP security headers in your WordPress website
Then click on the Add Security Presets button again and this will use Redirection’s selection of default security HTTP headers. Boom 💥 1-click HTTP Security Headers for WordPress!
Here is a screenshot of what the default Security Presets look like with the Redirection plugin
You’re done! 🥳 Hit update and reload the web page to see if it has been updated. Check to make sure your pages look normal and that your links and content function as expected. If you have issues, you can disable/re-enable each preset one by one to figure out what went wrong.
Getting into the weeds of each policy
Permissions Policy
Setting a robust Permissions Policy (formerly known as Feature Policy) using the Redirection plugin in WordPress is straightforward. This security control helps prevent third-party scripts or iframes from accessing sensitive browser features (camera, microphone, geolocation, etc.), strengthening your site's security posture.
Here is a tutorial from the Redirection plugin showing how to add the best practices controls for the Permissions Policy: https://redirection.me/developer/permissions/
Recommended Best-Practice Configuration:
Below is a recommended configuration for maximum security that disables the most sensitive features, allowing only basic site functionality:
Permissions-Policy: accelerometer=(), autoplay=(self), camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), interest-cohort=()
Explanation:
autoplayandfullscreenare enabled for your site (self), often useful features.Sensitive features (camera, mic, geolocation, etc.) are fully disabled.
interest-cohortblocks Google's FLoC tracking feature (privacy best practice).
Add Permissions Policy Header Using Redirection Plugin
In WordPress with the Redirection plugin, follow these steps:
Go to your WordPress Dashboard
Select Tools → Redirection.
Open the "Site" or "Headers" tab (if you haven't created one, you can manage this through "Site").
Add a new header rule:
Click Add new.
Select "Header" from the dropdown.
For "Header name", enter: Permissions-Policy
For "Header value", enter your preferred secure settings, e.g.: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
Save the rule.
Verify Header Implementation
After saving your header configuration, verify it:
Visit your site.
Open your browser’s Developer Tools (
F12or right-click → Inspect).Click the Network tab, refresh the page, and select your website URL.
Under Response Headers, confirm the presence and correctness of your new header.
Example verification:
Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
Check your Cyber Score for Website Security Settings
Reload your Cyber Score and look at the Website Security Settings criteria. If Redirection did its job, you will have a perfect score here 💯
Conclusion
In the digital realm, the security of your small business website is as crucial as locking the doors to your physical storefront. HTTP security headers for WordPress offer an added layer of protection, ensuring that your business, reputation, and customers remain safe. By understanding and implementing these headers, especially with user-friendly tools like the Redirection plugin, you’re taking a significant step towards a more secure online presence.