Http Strict Transport Security Is Not Enabled WordPress

Hence, enabling HSTS will oblige the browser to load the secure model of an internet site and ignore any calls or redirect requests to load a net site over the HTTP protocol. This closes the redirection vulnerability that exists with a 301 and 302 redirect. HTTP security headers work finest when they’re configured in your web server or, where relevant, your Content Delivery Network or Web Application Firewall. Alternatively, whereas less perfect, you must use a WordPress plugin to set these headers for you.

http strict transport security is not enabled wordpress

After you put in an SSL certificate on your internet server, you must all the time run an SSL check to verify that every thing is setup accurately. This is principally getting your web site and or area on an permitted HSTS list that’s actually constructed into the browser. Google formally compiles this list and it’s utilized by Chrome, Firefox, Opera, Safari, IE11, and Edge.

The Means To Add Hsts To Your WordPress Website

There is also a adverse side to HTTP Strict Transport Security coverage that visitor’s browser has to see the HSTS header at least as soon as earlier than it could benefit from it for future visits. This implies that they will have to undergo the HTTP to HTTPS course of at least as quickly as, leaving them weak the first time they visit an HSTS-enabled web site. Here comes the ultimate step of modifying the .htaccess file and adding the HSTS rule. Now, you want to connect to your server remotely by way of SSH so you presumably can access the .htaccess file of your software.

These intruders can also redirect you to a clone model of the website you are trying to entry and steal your whole information as you enter it, even when it looks safe. This article will demonstrate the steps of enabling the HTTP Strict Transport Security policy for your website. You will also study what HSTS is and the importance of enabling the HSTS policy.

Ssl Check

Similarly, other web browsers corresponding to Internet Explorer, Firefox, Safari, and Opera have their very own HSTS Preload Lists, which relies on Chrome’s HSTS Preload List. It’s time to confirm in case your web site has an HSTS coverage carried out or not, and there are a few methods to verify it. We recommend using a third-party tool referred to as SecurityHeaders.

http strict transport security is not enabled wordpress

Thanks a bunch, I had some hard time figuring out the right settings for the X-Frame-Options since I use Elementor for my website. It masses it into a body, which was not working then anymore after setting the header to same origin, deny. Hi Christine, sorry to hear that you’re working into bother. It’s often a conflict with another plugin, or presumably the .htaccess file needing optimization. Try using a web site like GTMetrix to see should you can slender down what scripts or plugins are causing the slowdown. That might help level you in direction of what specifically needs to be optimized or is inflicting the problem.


There are also a number of old and unused HTTP safety headers. They are no longer used, or now not work as a outcome of they have been both launched as short-term fixes, experiments, and even non-standard initiatives that have since both been deprecated or changed completely. You also can scan your WordPress website with a free on-line tool like which can let you realize if the strict-transport-security header is being applied or not. Once you might have met all these requirements, you can use this code in your functions.php file as a substitute to support HSTS preloading. With all of the safety breaches that we’ve seen just this past year, it makes total sense to want to move every little thing over to SSL.

  • Here comes the final step of enhancing the .htaccess file and including the HSTS rule.
  • The HSTS header could be stripped by the attacker if that is the user’s first visit.
  • HTTP safety headers work greatest when they are configured on your internet server or, the place relevant, your Content Delivery Network or Web Application Firewall.
  • Customers go to your web site, buy merchandise and move delicate information like passwords, bank card particulars and so forth.

Alternatively, whereas much less effective , using a WordPress plugin could be the easiest way to add HTTP security headers to your WordPress web site. Plugins such as the Redirection plugin permit you to add customized HTTP headers to your web site. Now that we have coated the purpose of HTTP security headers, here are a number of ways during which they can be enabled on your WordPress web site.