WordPress plugin “Security Headers”

I’ve written a small WordPress plugin called “Security Headers“.

You’ll want this if you are trying to host a WordPress site using HTTPS, and you want to use HSTS to prevent SSL stripping attacks, disable content sniffing, or worry people may have disabled the XSS auditor in their browser (and you worry about XSS risk on your site and want to re-enable it). You also need to feel clicking and pointing is better than making typos in config files, or feel the separation of critical security settings between web server configuration and application configuration will only lead to controls being lost when the site is migrated, or the web server updated).

The plug-in allows a site owner to set HSTS headers and a couple of other security related headers without editing the .htaccess file, or the web server configuration.

Currently it is a bit overkill for 3 headers, but I hope to include HPKP, CSP, and also expect to add redirects for HTTP to HTTPS shortly as per the apparently abandoned HSTS WordPress plug-in. I also want to include more help text, and links to helpful tools. In the style of OS2/Warp’s help, where the information you need to decide how to choose settings is presented along with the control to change that setting.

No effort has been made at performance optimisations, if you are hosting WordPress and not using a Content Delivery Network (CDN), your site will be toast if it ever gets any real amount of traffic anyway. You should probably shun the caching plug-ins for WordPress as most have a dreadful security record (and yes, I know, plumbers and dripping taps).

I have done basic security testing on the plug-in, but it is presented without warranty.

HSTS’s “include sub-domains” option is a potent tool, especially while many certificates include both “example.com” and “www.example.com”, just because I’m trying to make it easy to set these settings, doesn’t mean you should set them lightly.

Get out of jail: You can in the worst case disable mistaken HSTS settings by setting a time of “0” and persuading users to visit the HTTPS version of the site again.

0.3 is the first public release, it calls itself 0.2 because this is my first WordPress plug-in hosted at WordPress, so expect the next release to be “0.4”, and this confusion to be resolved. I am using and testing with WordPress 4.1.1, please rate, and vote that it works if it does, please report bugs if it doesn’t. Constructive criticism always welcome.

Copyright is owned by Surevine Ltd, who I’m sure will be happy to provide services (including my services) for people interested in security of web and intranet sites. They too will disclaim any responsibility.

Instructions for use:

Add a new plugin.

Add a plugin

Add a plugin

Search for “Security Headers”

Security Headers plugin

Install and activate the plug-in, and then look for the new “HTTP Headers” menu.

HTTP Headers menu added by Security Headers WordPress Plugin

Select appropriate values (most people can use something like those shown below for best effect).

Settings page of Security Headers WordPress Plugin

5 thoughts on “WordPress plugin “Security Headers”

  1. Rainer Brockerhoff

    Hi! Thanks for the plug-in.
    I’m inserting this line:
    header(“X-Frame-Options: SAMEORIGIN”);
    before:
    // HSTS
    Maybe that should be an option in the next version?
    Best,
    Rainer

    Reply
  2. Simon Waters Post author

    Hi Rainer,

    WordPress already inserts “X-Frame-Options” under some circumstances (Login and admin pages) but I’ll certainly consider it, I fear I duplicate this header on my own blog because it isn’t done correctly.

    I recently added HPKP, so I need to add HPKP report-uri option.

    I note my own blog also manipulates the cookie flags, which is probably desirable, I may have to learn some more PHP 🙂

    Reply
  3. Mitchell Krog

    Thanks for writing this plugin, works like a charm and takes the guess work out of WHY Apache doesn’t send the headers set in a .conf or .htaccess file. If everyone knew what this plugin was for, everyone would be using it.

    WordPress does a LOT of fiddling with server headers and provides no way of saying “no stop doing that”. One can spend hours fiddling with Apache sending Header set commands and they are all ignored because WordPress takes over, this plugin just saved the day for me and works like an absolute charm.

    Please can you consider adding “X-Frame-Options” in your next release.

    I have manually added it myself by modifying this section of code but it would be cleaner if it were included in the plugin with a checkbox and the ability to set different options for X-Frame-Options

    I just modified this section of code for now.

    // XSS
    $xss = esc_attr(get_option(‘security_headers_xss’));
    if ($xss == 1) {
    header(“X-XSS-Protection: 1; mode=block;”);
    header(“X-Frame-Options: SAMEORIGIN”);
    }

    Reply
  4. mikrom

    Hi, I am just playing wit these headers.. I had error in redbot.org, an I solve it by removing semicolon in one header. Its been already mentioned on plugin page. this is okay.
    But I have another problem, and I am not able to fix it. Popular caching plugins break this headers so I can’t pass securityheaders.io. Have You any idea what can solve this?
    I only found that Comet Cache should work (https://wordpress.org/support/topic/content-security-policy-header-missing-after-activating-the-wp-super-cache/) and here is some .htaccess rule that don’t fix it (https://wordpress.org/support/topic/wp-super-cache-is-not-compatible-with-content-security-policy-headers/) thats all.
    So it can’t be solved by any .htaccess magic line? Or something?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *