Let’s see three different methods to add HSTS (HTTP Strict Transport Security) to WordPress. At Bobcares, with our WordPress Support Services, we can handle your WordPress issues.

How to add HSTS to WordPress?

HTTP security headers are most effective when they are enabled at the WordPress hosting account level. This allows them to be activated early in a typical HTTP request, providing the best advantage. They perform considerably better if we have a DNS-level website application firewall installed, such as Cloudflare.

In this article, we will show three methods to add HSTS to WordPress.

Methods to add HSTS to WordPress

Method 1

In this method, we are using Cloudflare to add HSTS to WordPress. Using HTTP security headers, this method provides basic protection. It does not, however, allow us to add X-Frame-Options, and Cloudflare does not provide a user interface for doing so.

1. Turn on Cloudflare for the website.
2. Navigate to the SSL/TLS page in the Cloudflare account dashboard, then to the Edge Certificates tab.
3. Scroll down to HTTP Strict Transport Security (HSTS) and click the ‘Enable HSTS’ button. This will display a message informing us that we must have HTTPS enabled on the WordPress blog before using this feature.
4. To proceed, click the Next button, and we will see the options for adding HTTP security headers.
5. We can enable HSTS, add a no-sniff header, apply HSTS to subdomains (if they use HTTPS), and preload HSTS from this page.

Method 2

This method relies on a WordPress plugin to change the headers. It is, however, the simplest technique to add HSTS to the WordPress website.

1. Firstly, install and enable the Redirection plugin. When we activate the plugin, it will display a setup wizard that we can simply follow to set up the plugin.
2. After that, navigate to the Tools » Redirection page and select the ‘Site’ tab.
3. Then, scroll down to the HTTP Headers section at the bottom of the page and click the ‘Add Header’ button.
4. Select the ‘Add Security Presets’ option from the drop-down menu.
5. We will then need to click on it again to add those options. The table will now display a predefined list of HTTP security headers.
6. We can go over them and make changes as needed.
7. Lastly, remember to click the Update button to save the changes.

Method 3

Using .htaccess, we can set the HSTS in WordPress at the server level. In this method, we have to edit the .htaccess file on the website.

1. Use an FTP client or the file manager app in the hosting control panel to connect to the website.
2. Locate the .htaccess file in the root folder of the website and edit it.
3. This will launch a simple text editor. We can add the code to the WordPress website’s HTTPS security headers at the bottom of the file.
4. Finally, save the changes made. Also, check the website to ensure that everything is working properly and HSTS is added to WordPress.

[Looking for a solution to another query? We are just a click away.]

Conclusion

The article provides three methods from our WordPress Support team to add HSTS to WordPress. The methods use Cloudflare, Redirection plugin, and finally .htaccess config file edit.