HTTP headers to improve web site security

Descriere

This plug-in helps setting up the various header instructions included in the HTTP protocol allowing for simple improvement of your website security.

This plug-in provides enabling of the following measures:

  • HSTS (Strict-Transport-Security)
  • CSP (Content-Security-Policy)
  • Clickjacking mitigation (X-Frame-Options in main site)
  • XSS protection (X-XSS-Protection)
  • Disabling content sniffing (X-Content-Type-Options)
  • Referrer policy
  • Expect-CT
  • Remove PHP version information from the HTTP header
  • Remove WordPress version information from the header

securityheaders.com is a useful resource for evaluating your web site’s security.

As usual, make sure to understand the meaning of these options and to run full tests on your web site as some options may result in some features stop working.

Capturi ecran

  • General settings screen.
  • Content-Security-Policy directives settings screen.
  • .htaccess contents screen.

Instalare

  1. Upload the plugin files to the /wp-content/plugins/http-security directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the „Plugins” screen in WordPress.
  3. Use the Settings -> HTTP Security screen to configure the plugin.

Întrebări frecvente

How can I test the plug-in runs effectively?

Check the HTTP headers of your web site.

Verificări

8 iulie 2019
If I could, I would give you 10 stars and dance at your wedding. You just saved me HOURS of work trying to figure out how to secure my site. After two hacks, I had enough and started securing it on my own. To slow and labor intensive (W3C school). Literally took me not even 5 minutes. So, THANK YOU, THANK YOU, THANK YOU.
30 mai 2019
Really easy to set up, a lot of different options but still not hard to get into. The plugin does exactly what it is meant to do and does a great job at it! Adding a CSP to your site is only a matter of minutes with the plugin, but is a great addition to make your website secure against a lot of different attacks. Thanks a lot for the plugin!
4 martie 2019
I've used this to implement http security headers on my WordPress site. Very easy to use and get good scores on evaluation sites. Content Security Policy seems to be an emerging technique to improve security. Its easy to implement using this plugin. Only one problem I've noticed: When I input data in the box for base-uri: and then check with Google CSP Evaluator it shoes all of the CSP values except for base-uri where it shows "base-uri;" regards of what's entered in the plugin. Base-uri doesn't fall back to the default-src directive so this shows up as an issue. Still deserves 5 stars for its ease of use.
22 iunie 2018
I really like this plugin. I tried others for CSP and I chose this over the others for its ease of use. CSP is complicated enough. By using this plugin it is easier to implement a content security policy and security headers on WordPress. I highly recommend this plugin. Thanks for taking the time to make this plugin.
9 mai 2018
Perfect plugin for the job it needs to do. The developer is great as well!
Citește toate cele 8 recenzii

Contributori și dezvoltatori

„HTTP headers to improve web site security” este un software open-source. La acest modul au contribuit următoarele persoane.

Contributori

„HTTP headers to improve web site security” a fost tradus în 6 locale. Mulțumim traducătorilor pentru contribuția lor.

Tradu „HTTP headers to improve web site security” în limba ta.

Te interesează dezvoltarea?

Răsfoiește codul, vezi depozitarul SVN, sau abonează-te la jurnalul de dezvoltare prin RSS.

Istoric modificări

2.5

  • Added support for Feature-Policy

2.4.2

  • Tested with WordPress 5.0

2.4

  • Added .htaccess instructions

2.3.2

  • Tested with WordPress 4.9

2.3

  • Added support for Expect-CT
  • Cleaned up the interface

2.2

  • Switched to languages packs

2.1

  • Added support for Referrer-Policy directive
  • Added uninstall database cleanup

2.0

  • Added support for all Content-Security-Policy directives
  • Reworked the user interface

1.11

  • Added setting the mode for x-frame-options

1.10.7

  • Removed HSTS header when connected in HTTP

1.10.3

  • Fixed HSTS syntax warning

1.10

  • Added support for Content-Security-Policy

1.9

  • Added critical issues notifications

1.7.5

  • Added max-age option to HSTS setting

1.6

  • Added option to remove WordPress version information from the header

1.5

  • Added option to remove PHP version information from the HTTP header

1.4

  • Included link to submit site preload to browsers
  • Reduced HSTS max-age to one year

1.3

  • Added X-Frame-Options protection.
  • Added X-Content-Type-Options protection.
  • Added HSTS options.

1.1

  • Added XSS protection option.

1.0

  • First stable version providing basic HSTS support.