Plugins DatabasePlugins Database logo
Back to plugins
Homepage WordPress

Actions

DownloadAuthor pageSee on WordPress

Plugin info

Total downloads: 46,553
Active installs: 4,000
Total reviews: 8
Average rating: 5
Support threads opened: 0
Support threads resolved: 0 (0%)
Available in: 1 language(s)
Contributors: 1
Last updated: 2/26/2019 (2500 days ago)
Added to WordPress: 4/10/2015 (10 years old)
Minimum WordPress version: 3.8.1
Tested up to WordPress version: 5.1.21
Minimum PHP version: 5.6

Maintenance & Compatibility

Maintenance score

Possibly abandoned • Last updated 2500 days ago • 8 reviews

22/100

Is Security Headers abandoned?

Possibly abandoned (last update 2500 days ago).

Compatibility

Requires WordPress: 3.8.1
Tested up to: 5.1.21
Requires PHP: 5.6

Ratings

8
0
0
0
0See all reviews

Developers

Simon Waters1

Languages

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

Eazy HTTP Headers
Rating 0.0/5 (0 reviews)Active installs 30
Compare
See more alternatives to Security Headers

Description

TLS is growing in complexity. Server Name Indication (SNI) now means HTTPS sites may be on shared IP addresses, or otherwise restricted. For these servers it is handy to be able to set desired HTTP headers without access to the web servers configuration or using .htaccess file.

This plug-in exposes controls for:

  • HSTS (Strict-Transport-Security)
  • HPKP (Public-Key-Pins)
  • Disabling content sniffing (X-Content-Type-Options)
  • XSS protection (X-XSS-Protection)
  • Clickjacking mitigation (X-Frame-Options in main site)
  • Expect-CT

HSTS is used to ensure that future connections to a website always use TLS, and disallowing bypass of certificate warnings for the site.

HPKP is used if you don’t want to rely solely on the Certificate Authority trust model for certificate issuance.

Disabling content sniffing is mostly of interest for sites that allow users to upload files of specific types, but that browsers might be silly enough to interpret of some other type, thus allowing unexpected attacks.

XSS protection re-enables XSS protection for the site, if the user has disabled it previously, and sets the “block” option so that attacks are not silently ignored.

Clickjacking protection is usually only relevant when someone is logged in but users requested it, presumably they have rich content outside of WordPress authentication they wish to protect.

Expect-CT is used to ensure Certificate Transparency is configured correctly.

Installation

  1. Upload “security_headers.php” to the “/wp-content/plugins/” directory.
  2. Activate the plugin through the “Plugins” menu in WordPress.

Frequently Asked Questions

No FAQ available

Review feed

No reviews available

Screenshots

No screenshots available

Changelog

1.1

Fix missing close anchor which breaks recent WordPress

1.0

Add support for wp-login.php page

Add support for Expect-CT header

0.9

Removed unnecessary whitespace in HSTS header (thanks Thomas)

Added Referrer-Policy header

Corrected plugins name from “HTTP Headers” to “Security Header” (thanks Jamie)

Removed trailing semi-colon from X-XSS-Protection (it worked but not needed)

0.8

Add headers to admin section of WordPress

Added option to set the X-Frame-Options headers to main site

Added HSTS Preload header (thanks to Jamie)

0.7

Add report-uri

Fix handling of non-numeric blank strings for HPKP max-age

0.6

HPKP support

Check for TLS before emitting HSTS or HPKP headers

0.5

Change h2 for h1 for accessibility per #31650

0.4

License change
Clarify wording for XSS protection in readme

0.3

Prepare for release

0.2

Added Sonarqube file and formatting changes

0.1

  • Initial release.
Back to plugins