I’ve updated the WordPress Security headers plugin.

Added support for HSTS Preload.

Added support for restricting framing via the X-Frame-Options header on the main site (I know you should do this via Content Security Policy, but there has to be a goal for 0.9).

Added the headers to the admin pages (via admin_init action), as previously headers were only served on the main site (via send_headers action).

No known bugs or feature requests remain; it is far from perfect but we maintain the illusion of perfection as long as possible.

Please report bugs or place feature requests on the support page.