Adding HTTP Security Headers to WordPress

There are a couple of sites out there which will take a look at the configuration of your site and give pointers as to where you can tighten up your configuration, pointing out if you’re missing headers such as Content-Security-Policy, X-Frame-Options or X-XSS-Protection.

If you run a WordPress Blog there’s a quick way of adding and removing headers – you can do it within the WordPress Admin interface, with the Appearance Editor:

Under this menu find “functions.php”:

A screenshot showing the Edit Themes option open in the WordPress menu.

You can append rules about HTTP Headers to the end of this file. It’s a PHP file so you’ve got flexibility too! Here’s some example code to add a custom HTTP Header:

if (!empty($_SERVER['HTTPS'])) {
  function add_hsts_header($headers) {
    $headers['strict-transport-security'] = 'max-age=31536000; includeSubDomains';
    return $headers;

add_filter('wp_headers', 'add_hsts_header');

If you’d like to remove a header, you can do that too!


Now jump over to and take a look at which headers you’re missing!