WordPress SSL Alert: Missing Security Headers in .htaccess File

WordPress website owners started to see a new alert with recommended actions in the WordPress site’s health security (if you have Simple SSL plugin active).

What caused the new health alert?

The new alert in the “Site heath” section appeared after updating the Really Simple SSL plugin.

In this article, we will fix the following missing security headers using the .htaccess file.

• HTTP Strict Transport Security
• Content Security Policy: Upgrade Insecure Requests
• X-XSS protection
• X-Content Type Options
• Referrer-Policy
• X-Frame-Options
• Expect-CT

How to add the new security headers to the .htaccess file?

We’ve put together a single code to be added to your .htaccess file that will fix all your security headers issues, and then this alert will disappear accordingly.

Note: please make sure that you have access to your cPanel before implementing any of these lines in your htaccess file, because if something went wrong you will lose access to your wordpress admin dashboard.

Copy and paste the below code at the end of your .htaccess.

<ifModule mod_headers.c>
Header always set Content-Security-Policy “upgrade-insecure-requests;”
</IfModule>

# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
Header set X-Frame-Options “SAMEORIGIN”
Header set X-Content-Type-Options “nosniff”
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”
# Header set Content-Security-Policy …
Header set Referrer-Policy “same-origin”
</IfModule>

<IfModule mod_headers.c>
Header set Expect-CT enforce,max-age=2592000,report-uri=”https://foo.example/report”
</IfModule>

Tool to verify http response headers

To verify your http response headers fixes, you can test your url using on of the following tools/methods:

• Security Headers
• Redbot.org
• or you can install a free wordpress plugin called “http headers plugin“

Happy Fixing!