Security headers are HTTP response headers that instruct the browser to enable various security mechanisms. This guide shows you how to add all important security headers to your WordPress site at once.
All Headers in One .htaccess Block
Add the following to your .htaccess file in the WordPress root directory:
<IfModule mod_headers.c>
# Prevent clickjacking
Header always set X-Frame-Options "SAMEORIGIN"
# Prevent MIME-type sniffing
Header always set X-Content-Type-Options "nosniff"
# Control referrer information
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Restrict browser features
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
# Force HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# XSS Protection (legacy, for older browsers)
Header always set X-XSS-Protection "1; mode=block"
</IfModule>Nginx Configuration
Add these lines inside your server block:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block" always;WordPress functions.php Method
function add_security_headers() {
header('X-Frame-Options: SAMEORIGIN');
header('X-Content-Type-Options: nosniff');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()');
header('X-XSS-Protection: 1; mode=block');
}
add_action('send_headers', 'add_security_headers');Verify All Headers
After adding the headers, run a new InspectWP scan on your WordPress site. All security headers should now appear as green (present) in the security section of your report.