SecurityHigh

Missing HSTS header on your WordPress site

The Strict-Transport-Security (HSTS) header is missing from your site. Without it, browsers can be redirected to the HTTP version of your site.

Why it matters

SSL-stripping attacks allow an attacker to redirect your visitors to HTTP and intercept their traffic (passwords, sessions). HSTS blocks this vector.

How to fix

  1. 1

    Add via .htaccess (Apache)

    apache
    <IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
  2. 2

    Add via Nginx

    nginx
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  3. 3

    Add via wp-config.php

    php
    // In wp-config.php, avant "require_once ABSPATH . 'wp-settings.php'"
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
  4. 4

    Submit to HSTS Preload list (optional)

    Once HSTS is in place with the preload directive, submit your domain at hstspreload.org so browsers enforce HTTPS natively, without any initial HTTP request.

Related articles

SecurityInvalid or expiring SSL certificateSecurityContent Security Policy (CSP) missing on WordPressSecurityMissing X-Frame-Options header

Ready to fix this issue on your site?

Audit my site for free →