I’ve updated the WordPress Security headers plugin.
Added support for HSTS Preload.
Added support for restricting framing via the X-Frame-Options header on the main site (I know you should do this via Content Security Policy, but there has to be a goal for 0.9).
Added the headers to the admin pages (via admin_init action), as previously headers were only served on the main site (via send_headers action).
No known bugs or feature requests remain; it is far from perfect but we maintain the illusion of perfection as long as possible.
Please report bugs or place feature requests on the support page.