Boost WordPress Security by Adding Essential Headers through functions.php

Since WordPress is a widely used platform, it is also a target for hackers.

Adding security headers to your WordPress website can help increase its protection against potential security threats, such as cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) attacks, and more. One way to add security headers is by using a code snippet in your theme’s functions.php file. Use the ‘Lean more’ to read all about that specific header and what other options you can use.

Before you start, you can check the security of your website via:


X-Frame-Options tells the browser whether you want to allow your site to be (i)framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Learn more.

function add_security_header_clickjacking() {
	header( 'X-Frame-Options: SAMEORIGIN' );
add_action( 'send_headers', 'add_security_header_clickjacking' );
Code language: PHP (php)

MIME Sniffing

It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable. Learn more.

function add_security_header_mimesniff() {
    header( 'X-Content-Type-Options: nosniff' );
add_action( 'send_headers', 'add_security_header_mimesniff' );
Code language: PHP (php)


This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). It tells the browser to block the response if it detects an attack rather than sanitising the script. Learn more.

function add_security_header_xxssprotect() {
    header( 'X-XSS-Protection: 1;mode=block' );
add_action( 'send_headers', 'add_security_header_xxssprotect' );
Code language: PHP (php)

Referrer Policy

The browser will not send the referrer header when navigating from HTTPS to HTTP, but will always send the full URL in the referrer header when navigating from HTTP to any origin. It doesn’t matter whether the source and destination are the same site or not, only the scheme. Learn more.

function add_security_header_referrerpolicy() {
	header( 'Referrer-Policy: no-referrer-when-downgrade' );
add_action( 'send_headers', 'add_security_header_referrerpolicy' );
Code language: PHP (php)

Content Security Policy (CSP)

This is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. Learn more.

function add_security_header_contentpolicy() {
    header( 'Content-Security-Policy: upgrade-insecure-requests;' );
add_action( 'send_headers', 'add_security_header_contentpolicy' );
Code language: PHP (php)

HTTP Strict Transport Security (HSTS)

This is a policy mechanism that helps to protect the website against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. Learn more.

function add_security_header_hsts() {
	header( 'Strict-Transport-Security: "max-age=31536000" env=HTTPS' );
add_action( 'send_headers', 'add_security_header_hsts' );
Code language: PHP (php)

Disable Themes & Plugins Editor

Disable the option to edit themes and plugins code directly from the WordPress admin to prevent potential coding errors or unauthorized access via the WordPress editor.

define( 'DISALLOW_FILE_EDIT', true );
Code language: PHP (php)

Hide WordPress version

Many attackers scan sites for vulnerable WordPress versions. By hiding the version from your site HTML, you avoid being marked by hackers for mass attacks.

add_filter( 'the_generator', '__return_empty_string' );
Code language: PHP (php)

Pro tip: ofcourse you can bundle all the headers into one function. Use the following PHP code and add it to your functions.php:

function hoolite_add_security_headers() {

	header("X-Frame-Options: SAMEORIGIN");

	header("X-Content-Type-Options: nosniff");

	header("X-XSS-Protection: 1;mode=block");

	header("Referrer-Policy: no-referrer-when-downgrade");

	header("Content-Security-Policy: upgrade-insecure-requests;");

	header('Strict-Transport-Security: "max-age=31536000" env=HTTPS');

add_action("send_headers", "hoolite_add_security_headers");
Code language: PHP (php)

After adding your security headers, test your website again via:

That’s it! Adding security headers to your WordPress website via the functions.php file is a quick and easy way to increase its protection against potential security threats. However, it’s essential to understand the headers you are setting and their impact on your website’s functionality. As always, make a backup of the functions.php file before making any changes.

Leave your feedback and help us improve 🐶

We hope you found this article helpful! If you have any questions, feedback, or spot any errors, please let us know in the comments. Your input is valuable and helps us improve. If you liked this article, please consider sharing it with others. And if you really enjoyed it, you can show your support by buying us a cup of coffee ☕️.

Thank you for your feedback and support!

More free knowledge, because why not?

Your thoughts matter, leave a reply 💬

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.