Description
Security headers are essential for protecting your WordPress website against common attacks, including cross-site scripting (XSS), clickjacking, content sniffing, and certificate transparency issues. The Security Header plugin provides an easy interface to enable or disable essential security headers with just a few clicks.
Key Features:
* HTTP Strict Transport Security (HSTS)
* X-Frame-Options (Prevents clickjacking)
* X-Content-Type-Options (Prevents MIME-type sniffing)
* Referrer-Policy (Controls the referrer header information)
* Content-Security-Policy (Mitigates various attacks like XSS)
* X-XSS-Protection (Prevents Cross-Site Scripting attacks)
* Permissions-Policy (Controls browser features such as microphone, camera, etc.)
* X-Permitted-Cross-Domain-Policies (Restricts cross-domain resource sharing)
* Expect-CT (Enforces certificate transparency)
* Feature-Policy (Controls resource loading for various browser features)
* Cross-Origin-Opener-Policy (Prevents cross-origin attacks by isolating browsing contexts)
* Cross-Origin-Resource-Policy (Restricts sharing of resources across different origins)
Easily toggle each security header from the WordPress admin panel to improve the security of your website without requiring manual code changes.
Features
- Easy-to-use settings page
- Add or remove essential HTTP security headers with just a click
- Supports all major security headers to secure your website
- Helps mitigate a wide range of security vulnerabilities
- Compatible with all WordPress themes and plugins
- Each security header can be enabled/disabled independentlyFor more information or to get in touch with the developer, visit Inspired Monks Website.
Screenshots
Installation
- Download the plugin and unzip the folder.
- Upload the
security-header
folder to the/wp-content/plugins/
directory. - Activate the plugin through the ‘Plugins’ menu in WordPress.
- Go to Settings > Security Headers to configure the plugin options.
FAQ
-
What security headers can I enable with this plugin?
-
You can enable the following security headers:
– HTTP Strict Transport Security (HSTS)
– X-Frame-Options
– X-Content-Type-Options
– Referrer-Policy
– Content-Security-Policy (CSP)
– X-XSS-Protection
– Permissions-Policy
– X-Permitted-Cross-Domain-Policies
– Expect-CT
– Feature-Policy
– Cross-Origin-Opener-Policy (COOP)
– Cross-Origin-Resource-Policy (CORP) -
Does this plugin work with all themes?
-
Yes, this plugin works with all WordPress themes, as it modifies the HTTP headers sent by your web server without affecting the content or styling of your site.
-
Is coding knowledge required to use this plugin?
-
No coding knowledge is required. The plugin provides a simple admin interface where you can enable or disable headers with just a click.
-
Can this plugin interfere with my website’s functionality?
-
Security headers modify how browsers interpret and handle your site. In rare cases, they may interfere with some functionality (e.g., third-party embeds). The plugin allows you to easily disable any problematic headers.
-
How do I know if the headers are working?
-
You can use tools like SecurityHeaders.com or web browser developer tools to inspect the HTTP headers and confirm that your settings are applied correctly.
-
What should I do if a security header is causing an issue?
-
If a specific header is interfering with your website or a third-party service, you can disable it from the Settings > Security Headers page. Each header is independently configurable, so you can toggle only the ones you need.
-
Does this plugin affect website performance?
-
Adding security headers generally has a minimal impact on performance. The headers are small in size and add a negligible amount of data to each request. This plugin only sets headers at the server level without altering front-end content or site functionality.
-
Can I use this plugin on a multisite installation?
-
Yes, the Security Header plugin is compatible with WordPress multisite installations. However, you’ll need to configure security headers individually for each site in the network.
-
Will this plugin prevent all types of attacks?
-
While security headers provide a robust layer of protection against specific attack vectors (e.g., XSS, clickjacking), they are not a complete security solution. Using this plugin in combination with other security practices, such as regular updates, strong passwords, and security plugins, is recommended.
-
Are these headers compatible with all browsers?
-
Most modern browsers support these headers, but certain headers may not be fully compatible with older browsers. You can check browser compatibility for each security header if needed.
-
Does this plugin support custom settings for each header?
-
Currently, this plugin provides standardized header values optimized for security. For advanced customizations, please reach out to the developer for additional options or custom development support.
-
How do I uninstall the plugin, and what happens to the headers?
-
To uninstall, simply deactivate and delete the plugin from the Plugins menu. All headers set by the plugin will be removed, restoring your website to its previous state.
-
I found an issue or have a feature request. Where can I report it?
-
We welcome feedback! Please contact us through Inspired Monks Contact us to report any issues or suggest new features.
Reviews
Contributors & Developers
“HTTP Security Header” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “HTTP Security Header” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
2.1
- Added support for Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Resource-Policy (CORP) headers.
- Updated the plugin interface for improved user experience.
- Bug fixes and improvements.
2.0.3
- Minor improvements and compatibility updates
2.0.2
- Updated plugin name to “HTTP Security Header”
- Minor improvements and compatibility updates
2.0.1
- Added new screenshots to demonstrate website security before and after using the plugin.
- Updated the settings page layout to use a modern div-based structure instead of a table.
- Applied styling to checkboxes for a sleek, modern look.
- Improved overall user interface and experience on the admin dashboard.
- Minor bug fixes and code optimizations.
2.0
- Added Feature-Policy header.
- Updated prefixes to improve compatibility and prevent conflicts.
- Added protection to prevent direct file access.
1.0
- Initial release with core security headers: HSTS, X-Frame-Options, X-Content-Type-Options, and more.
- Added support for
X-Permitted-Cross-Domain-Policies
,Expect-CT
, andPermissions-Policy
headers. - Improved overall structure and security.
- Added
headers_sent()
checks to prevent “Headers already sent” errors. - Added
isset()
checks to avoid “Undefined array key” warnings for uninitialized options. - Enhanced security and stability.