Author Archives: Simon Waters

WordPress plugin “Security Headers”

I’ve written a small WordPress plugin called “Security Headers“.

You’ll want this if you are trying to host a WordPress site using HTTPS, and you want to use HSTS to prevent SSL stripping attacks, disable content sniffing, or worry people may have disabled the XSS auditor in their browser (and you worry about XSS risk on your site and want to re-enable it). You also need to feel clicking and pointing is better than making typos in config files, or feel the separation of critical security settings between web server configuration and application configuration will only lead to controls being lost when the site is migrated, or the web server updated).

The plug-in allows a site owner to set HSTS headers and a couple of other security related headers without editing the .htaccess file, or the web server configuration.

Currently it is a bit overkill for 3 headers, but I hope to include HPKP, CSP, and also expect to add redirects for HTTP to HTTPS shortly as per the apparently abandoned HSTS WordPress plug-in. I also want to include more help text, and links to helpful tools. In the style of OS2/Warp’s help, where the information you need to decide how to choose settings is presented along with the control to change that setting.

No effort has been made at performance optimisations, if you are hosting WordPress and not using a Content Delivery Network (CDN), your site will be toast if it ever gets any real amount of traffic anyway. You should probably shun the caching plug-ins for WordPress as most have a dreadful security record (and yes, I know, plumbers and dripping taps).

I have done basic security testing on the plug-in, but it is presented without warranty.

HSTS’s “include sub-domains” option is a potent tool, especially while many certificates include both “example.com” and “www.example.com”, just because I’m trying to make it easy to set these settings, doesn’t mean you should set them lightly.

Get out of jail: You can in the worst case disable mistaken HSTS settings by setting a time of “0” and persuading users to visit the HTTPS version of the site again.

0.3 is the first public release, it calls itself 0.2 because this is my first WordPress plug-in hosted at WordPress, so expect the next release to be “0.4”, and this confusion to be resolved. I am using and testing with WordPress 4.1.1, please rate, and vote that it works if it does, please report bugs if it doesn’t. Constructive criticism always welcome.

Copyright is owned by Surevine Ltd, who I’m sure will be happy to provide services (including my services) for people interested in security of web and intranet sites. They too will disclaim any responsibility.

Instructions for use:

Add a new plugin.

Add a plugin

Add a plugin

Search for “Security Headers”

Security Headers plugin

Install and activate the plug-in, and then look for the new “HTTP Headers” menu.

HTTP Headers menu added by Security Headers WordPress Plugin

Select appropriate values (most people can use something like those shown below for best effect).

Settings page of Security Headers WordPress Plugin