Ensuring security is setup correctly for your WordPress site is very important, especially when it comes to protecting yourself from hackers. There are numerous different enhancements and best WordPress security practices you can implement to ensure that your site is locked down. If your WordPress site runs over HTTPS, then one of the enhancements we recommend implementing is the HSTS security header, as it can help prevent man-in-the-middle attacks (MitM) and cookie hijacking.
What is HSTS?
HSTS stands for HTTP Strict Transport Security and was specified by the IETF in RFC 6797 back in 2012. It was created as a way to force the browser to use secure connections when a site is running over HTTPS. It is a security header in which you add to your web server and is reflected in the response header as Strict-Transport-Security. HSTS is important because it addresses the following issues:
- Any attempts by visitors to use the unsecured version (HTTP://) of a page on your site will be automatically forwarded to the secure version (HTTPS://).
- Old HTTP bookmarks and people typing the HTTP version of your site are open you up to man-in-the-middle attacks. These are attacks where the attacker alters communication between parties and tricks them into thinking they are still communicating with each other.
- Doesn’t allow for the overriding of the invalid certificate message which really, in turn, protects the visitor.
- Cookie hijacking: This can occur when someone steals a session cookie over an unsecured connection. Cookies can contain all sorts of valuable information such as credit card information, names, addresses, etc.
How to Add HSTS to Your WordPress Site
Technically you are adding HSTS to the web server itself, which is then applied to HTTP requests to your WordPress site. Typically a 301 redirect is added when doing a redirect from HTTP to HTTPS. Google has officially said that you can use both 301 server redirects as well as the HSTS header together.
Although our systems prefer the HTTPS version by default, you can also make this clearer for other search engines by redirecting your HTTP site to your HTTPS version and by implementing the HSTS header on your server. Zineb Ait Bahajji, Google Security Team
There are different types of directives and or levels of security that can be applied to the HSTS header. Below is the most basic one which uses the max-age directive. This defines the time in seconds for which the web server should only deliver through HTTPS.
Enable HSTS in Apache
Add the following code to your virtual hosts file.
Header always set Strict-Transport-Security "max-age=10886400
Enable HSTS in NGINX
Add the following code to your NGINX config.
add_header Strict-Transport-Security "max-age=10886400
There is also HSTS preloading. This is basically getting your website and or domain on an approved HSTS list that is actually built into the browser. Google officially compiles this list and it is utilized by Chrome, Firefox, Opera, Safari, IE11 and Edge. Submit your site to the official HSTS preload list.
However, you must meet some additional requirements to be eligible.
- Server must have a valid SSL/TLS certificate.
- Redirect all traffic to HTTPS.
- Serve HSTS on the base domain.
- Serve all subdomains over HTTPS, specifically including the www subdomain if it exists.
- Expiry must be at least eighteen weeks (10886400 seconds)
- The includeSubdomains token directive must be specified
- The preload token directive must be specified.
To do this it requires adding the additional subdomains and preload directives to your HSTS header. Below is an example of the updated HSTS header.
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
Verify HSTS Header
There are a couple easy ways to check if the HSTS is working on your WordPress site. You can launch Google Chrome Devtools, click into the “Network” tab and look at the headers tab. As you can see below on our Kinsta website the HSTS value: “strict-transport-security: max-age=31536000” is being applied.
You can also scan your WordPress site with a free online tool like securityheaders.io which will let you know if the strict-transport-security header is being applied or not.
HSTS Browser Support
According to Caniuse, browser support for HSTS is very strong at over 80% globally and over 95% in the United States. Support for HSTS in IE11 was added in 2015 and currently the only modern browser that doesn’t support it is Opera Mini.
We also recommend checking out this article from Tim Kadlec on HSTS and Let’s Encrypt.