How To

Wordpress SSL Alert: Missing Security Headers in .htaccess File

WordPress website owners started to see a new alert with recommended actions in the WordPress site’s health security.

What caused the new health alert?

Wordpress Alert: Missing Security Headers in .htaccess File

The new alert in the “Site heath” section appeared after updating the Really Simple SSL plugin.

In this article, we will fix the following missing security headers using the .htaccess file.

  • HTTP Strict Transport Security
  • Content Security Policy: Upgrade Insecure Requests
  • X-XSS protection
  • X-Content Type Options
  • Referrer-Policy
  • X-Frame-Options
  • Expect-CT

How to add the new security headers to the .htaccess file?

We’ve put together a single code to be added to your .htaccess file that will fix all your security headers issues, and then this alert will disappear accordingly.

Copy and paste the below code at the end of your .htaccess.

<ifModule mod_headers.c>

Header always set Content-Security-Policy “upgrade-insecure-requests;”


# Security Headers

<IfModule mod_headers.c>

Header set X-XSS-Protection “1; mode=block”

Header set X-Frame-Options “SAMEORIGIN”

Header set X-Content-Type-Options “nosniff”

Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”

# Header set Content-Security-Policy …

Header set Referrer-Policy “same-origin”


<IfModule mod_headers.c>

Header set Expect-CT enforce,max-age=2592000,report-uri=”https://foo.example/report”


Happy Fixing!

See More