How to Add the HSTS Header in WordPress

Adding the HSTS (HTTP Strict Transport Security) header to your WordPress site ensures that browsers always connect via HTTPS. Here are the most common methods to implement it.

Prerequisites

Important: Before enabling HSTS, make sure your site is fully working on HTTPS. Once HSTS is enabled, browsers will refuse to connect via HTTP for the specified duration. If your SSL certificate has issues, visitors won't be able to access your site.

Method 1: Apache (.htaccess)

Add the following to your .htaccess file in the WordPress root directory:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

Method 2: Nginx

Add this to your Nginx server block configuration:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Method 3: WordPress functions.php

Add the header via PHP in your theme's functions.php:

function add_hsts_header() {
    header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
}
add_action('send_headers', 'add_hsts_header');

Recommended Approach

1. Start with a short max-age (e.g., 300 seconds = 5 minutes) to test.
2. Verify your site works correctly over HTTPS.
3. Increase to max-age=31536000 (1 year).
4. Add includeSubDomains if all subdomains support HTTPS.
5. Optionally add preload and submit to the HSTS preload list.

Verify Your HSTS Header

After adding the header, run a new InspectWP scan on your site. The security headers section should now show the Strict-Transport-Security header as present.