Boost WordPress Security by Adding Essential Headers through functions.php

Since WordPress is a widely used platform, it is also a target for hackers.

Adding security headers to your WordPress website can help increase its protection against potential security threats, such as cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) attacks, and more. One way to add security headers is by using a code snippet in your theme’s functions.php file. Use the ‘Lean more’ to read all about that specific header and what other options you can use.

Before you start, you can check the security of your website via:


X-Frame-Options tells the browser whether you want to allow your site to be (i)framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Learn more.

function add_security_header_clickjacking() {
	header( 'X-Frame-Options: SAMEORIGIN' );
add_action( 'send_headers', 'add_security_header_clickjacking' );

MIME Sniffing

It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable. Learn more.

function add_security_header_mimesniff() {
    header( 'X-Content-Type-Options: nosniff' );
add_action( 'send_headers', 'add_security_header_mimesniff' );


This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). It tells the browser to block the response if it detects an attack rather than sanitising the script. Learn more.

function add_security_header_xxssprotect() {
    header( 'X-XSS-Protection: 1;mode=block' );
add_action( 'send_headers', 'add_security_header_xxssprotect' );

Referrer Policy

The browser will not send the referrer header when navigating from HTTPS to HTTP, but will always send the full URL in the referrer header when navigating from HTTP to any origin. It doesn’t matter whether the source and destination are the same site or not, only the scheme. Learn more.

function add_security_header_referrerpolicy() {
	header( 'Referrer-Policy: no-referrer-when-downgrade' );
add_action( 'send_headers', 'add_security_header_referrerpolicy' );

Content Security Policy (CSP)

This is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. Learn more.

function add_security_header_contentpolicy() {
    header( 'Content-Security-Policy: upgrade-insecure-requests;' );
add_action( 'send_headers', 'add_security_header_contentpolicy' );

HTTP Strict Transport Security (HSTS)

This is a policy mechanism that helps to protect the website against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. Learn more.

function add_security_header_hsts() {
	header( 'Strict-Transport-Security: "max-age=31536000" env=HTTPS' );
add_action( 'send_headers', 'add_security_header_hsts' );

Disable Themes & Plugins Editor

Disable the option to edit themes and plugins code directly from the WordPress admin to prevent potential coding errors or unauthorized access via the WordPress editor.

define( 'DISALLOW_FILE_EDIT', true );

Hide WordPress version

Many attackers scan sites for vulnerable WordPress versions. By hiding the version from your site HTML, you avoid being marked by hackers for mass attacks.

add_filter( 'the_generator', '__return_empty_string' );

Pro tip: ofcourse you can bundle all the headers into one function. Use the following PHP code and add it to your functions.php:

function hoolite_add_security_headers() {
	header("X-Frame-Options: SAMEORIGIN");
	header("X-Content-Type-Options: nosniff");
	header("X-XSS-Protection: 1;mode=block");
	header("Referrer-Policy: no-referrer-when-downgrade");
	header("Content-Security-Policy: upgrade-insecure-requests;");
	header('Strict-Transport-Security: "max-age=31536000" env=HTTPS');
add_action("send_headers", "hoolite_add_security_headers");

After adding your security headers, test your website again via:

In conclusion, adding security headers to your WordPress website via the functions.php file is a quick and easy way to increase its protection against potential security threats. However, it’s essential to understand the headers you are setting and their impact on your website’s functionality. As always, make a backup of the functions.php file before making any changes.

That’s it! ✌️

Support 🐶

If you found this article helpful, got a question or spotted an error/typo... Do well to leave your feedback in the comment section or help spread it by sharing this article. If you're feeling generous (and I hope you do) you can definitely help me by getting me a cup of coffee ☕.

You may like these too!

Leave a Reply

Your email address will not be published. Required fields are marked *