{"id":167714,"date":"2025-03-21T09:00:00","date_gmt":"2025-03-21T09:00:00","guid":{"rendered":"https:\/\/getshieldsecurity.com\/?p=167714"},"modified":"2025-03-19T10:10:06","modified_gmt":"2025-03-19T10:10:06","slug":"wordpress-hsts","status":"publish","type":"post","link":"https:\/\/getshieldsecurity.com\/blog\/wordpress-hsts\/","title":{"rendered":"Implementing WordPress HSTS: Step-by-Step Guide"},"content":{"rendered":"\n<p>If you&#8217;re reading this, you&#8217;re serious about tightening up your WordPress site\u2019s security with HTTP Strict Transport Security (HSTS) \u2013 and that\u2019s a smart move. HSTS forces browsers to only connect via HTTPS, preventing downgrade attacks on your visitors.<\/p>\n\n\n\n<p>The catch is <em>there\u2019s no going back once you enable it<\/em>. If your SSL certificate expires or breaks in any way, your site will become unreachable. So, this isn\u2019t something you\u2019d enable on a whim.<\/p>\n\n\n\n<p>In this guide, you\u2019ll get step-by-step instructions for multiple proven methods of setting up HSTS on WordPress: manual configuration, the plugin route, and Cloudflare\u2019s automatic handling. Each method has its nuances, but all are effective for a secure implementation.<\/p>\n\n\n\n<p>Before diving in, ensure you have a <a href=\"https:\/\/getshieldsecurity.com\/blog\/how-to-get-a-ssl-and-fix-insecure-content\/\">valid SSL certificate<\/a> and a clear testing plan. HSTS might be straightforward, but it&#8217;s also unforgiving. Do it right, and it\u2019ll significantly strengthen your site\u2019s security \u2013 do it wrong, and you risk taking your site offline.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding the benefits and drawbacks of HSTS for WordPress<\/h2>\n\n\n\n<p>Implementing HSTS on your WordPress site can really elevate your security, but it\u2019s not without its trade-offs. Understanding both the benefits and drawbacks is key to deciding whether it&#8217;s the right move for you.<\/p>\n\n\n\n<p>Some of the benefits of enabling HSTS on WordPress are as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HSTS prevents downgrade attacks by forcing browsers to always use HTTPS, ensuring encrypted connections at all times.<\/li>\n\n\n\n<li>It boosts trust and SEO by aligning with Google\u2019s preference for HTTPS. Sites with HSTS enabled tend to rank better and are seen as more secure by users.<\/li>\n\n\n\n<li>Once HSTS is enabled, HTTPS is enforced automatically, removing the possibility of users accidentally accessing the HTTP version of your site.<\/li>\n<\/ul>\n\n\n\n<p>However, there are some real drawbacks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If your SSL certificate fails or expires, your site will be unreachable since HSTS prevents fallback to HTTP.<\/li>\n\n\n\n<li>Once HSTS is activated, especially with preload, removing it is complicated and can take time to propagate across browsers.<\/li>\n\n\n\n<li>Setting up HSTS properly, particularly through methods like .htaccess or Cloudflare, can be tricky for non-technical users. A misconfiguration could break access to your site.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step-by-step guide to implementing HSTS in WordPress<\/h2>\n\n\n\n<p>Each method for implementing HSTS has its own strengths depending on your technical needs and site setup. Before you flip the switch, double-check that <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-ssl-setup\/\">SSL is enabled<\/a> with a valid certificate and that every piece of content loads over HTTPS. One mistake, and you&#8217;re looking at a potential site lockout.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Option 1: Manual implementation via .htaccess<\/h3>\n\n\n\n<p>To implement HSTS in WordPress via the <em>.htaccess<\/em> file, start by backing it up \u2013 if anything goes wrong, you\u2019ll need a restore point.<\/p>\n\n\n\n<p>Once backed up, access the root .htaccess file through SFTP or your hosting file manager. Add this directive:<\/p>\n\n\n\n<p><code>Header set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"<\/code><\/p>\n\n\n\n<p>This enforces HTTPS for one year \u2013 31,536,000 seconds \u2013 applies HSTS to all subdomains, and sets your site up for the HSTS preload list. After adding the directive, test it using a tool like <a href=\"https:\/\/securityheaders.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security Headers<\/a> to ensure the header is being sent correctly.<\/p>\n\n\n\n<p>Finally, monitor your site\u2019s access logs for any issues. If there\u2019s a misconfiguration \u2013 like an expired SSL certificate \u2013 you risk locking users out.<\/p>\n\n\n\n<p>Again, HSTS is powerful, but unforgiving.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Option 2: Using a plugin<\/h3>\n\n\n\n<p>If you\u2019re uncomfortable doing it manually, there\u2019s always the plugin route. In this case, it\u2019s <a href=\"https:\/\/wordpress.org\/plugins\/headers-security-advanced-hsts-wp\/\" target=\"_blank\" rel=\"noreferrer noopener\">Headers Security Advanced &amp; HSTS WP<\/a>.<\/p>\n\n\n\n<p>Sadly, this plugin won\u2019t be winning awards for its name anytime soon, but it\u2019s beginner-friendly and functionality is solid. Here\u2019s what you need to do to enable HSTS:<\/p>\n\n\n\n<p>1. With the plugin downloaded and activated, go to <em>Settings &gt; Headers Security Advanced &amp; HSTS WP<\/em>.<\/p>\n\n\n\n<p>2. Scroll to the <em>Quick selection<\/em> section and click on <em>Strict Transport Security (HSTS).<\/em><\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69ed2feb3dc89&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"69ed2feb3dc89\" class=\"wp-block-image size-full wp-lightbox-container\"><img decoding=\"async\" width=\"879\" height=\"350\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/wordpress-hsts-using-a-plugin-for-wp-hsts.png\" alt=\"How to open the HSTS settings in Headers Security Advanced &amp; HSTS WP\" class=\"wp-image-167716\" srcset=\"https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/wordpress-hsts-using-a-plugin-for-wp-hsts.png 879w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/wordpress-hsts-using-a-plugin-for-wp-hsts-300x119.png 300w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/wordpress-hsts-using-a-plugin-for-wp-hsts-768x306.png 768w\" sizes=\"(max-width: 879px) 100vw, 879px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>3. Set the <em>Max-Age<\/em> value, which is in seconds, to 31536000 for one year.<\/p>\n\n\n\n<p>4. Check the <em>Enable include subdomains<\/em> and <em>Enable preload<\/em> options if you want. Luckily, the UI does a good job of explaining what each option does.<\/p>\n\n\n\n<p>5. Scroll to the bottom and click <em>Save Changes<\/em> when finished.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Option 3: Enabling HSTS through Cloudflare<\/h3>\n\n\n\n<p>Activating HSTS for your WordPress site through <a href=\"https:\/\/www.cloudflare.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cloudflare<\/a> offers the best balance of security and ease.<\/p>\n\n\n\n<p>Cloudflare manages HSTS settings at the edge of your network, meaning no need to modify your server or plugin settings. It\u2019s an efficient solution, particularly for sites with high traffic or those looking for a more hands-off approach.<\/p>\n\n\n\n<p>Here\u2019s how you can enable it through Cloudflare\u2019s dashboard:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open your Cloudflare account, then go to your site\u2019s settings.<\/li>\n\n\n\n<li>Switch to the SSL\/TLS tab then scroll down until you find the <em>HSTS Strict Transport Security (HSTS) <\/em>section. Click the button labeled <em>Enable HSTS.<\/em><\/li>\n\n\n\n<li>Scroll to the bottom of the text in the <em>Acknowledgement<\/em> tab, check the box labeled <em>I understand<\/em>, then click <em>Next.<\/em><\/li>\n\n\n\n<li>When you\u2019re moved to the <em>Configure<\/em> tab, toggle <em>Enable HSTS<\/em> on then set your preferred <em>Max Age Header <\/em>value.<\/li>\n\n\n\n<li>Toggle the other options on or leave them off as needed then click <em>Save<\/em> when you\u2019re done.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-columns are-vertically-aligned-center is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\"><div class=\"wp-block-image is-style-default\">\n<figure class=\"alignright size-full is-resized\"><img decoding=\"async\" width=\"2135\" height=\"2179\" src=\"https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot.png\" alt=\"Shield Security PRO mascot\" class=\"wp-image-167773\" style=\"aspect-ratio:1;object-fit:contain;width:156px;height:auto\" srcset=\"https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot.png 2135w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot-294x300.png 294w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot-1003x1024.png 1003w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot-768x784.png 768w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot-1505x1536.png 1505w, https:\/\/assets.getshieldsecurity.com\/getshieldsecurity.com\/uploads\/2025\/03\/Tips_Mascot-2007x2048.png 2007w\" sizes=\"(max-width: 2135px) 100vw, 2135px\" \/><\/figure>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p>Cloudflare does the best job of explaining things within its UI, so it\u2019s our recommended option for beginners. For example, the <em>Acknowledgement<\/em> section provides an exhaustive explainer of the risks of enabling HSTS. <\/p>\n\n\n\n<p>Moreover, unlike the other methods, the max age values are made clearer with a dropdown that labels them more naturally, i.e., as months, and gives you a recommendation of six.<\/p>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">How to submit a site to the HSTS preload list<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/hstspreload.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">HSTS preload list<\/a> is a powerful security feature built into major browsers like Chrome, Firefox, and Safari.<\/p>\n\n\n\n<p>Domains on this list are automatically forced to use HTTPS, even before users visit the site for the first time. Essentially, browsers treat these sites as always requiring a secure connection, protecting them from downgrade attacks and man-in-the-middle exploits.<\/p>\n\n\n\n<p>Once a domain is added to the list, it\u2019s hard coded into the browser, so HTTPS is enforced immediately without any user intervention.<\/p>\n\n\n\n<p>To submit, head over to <a href=\"https:\/\/hstspreload.org\" target=\"_blank\" rel=\"noreferrer noopener\">hstspreload.org<\/a> and enter your domain. The tool will run a series of checks to ensure your SSL certificate is valid, HTTPS is enforced across all subdomains, and the HSTS header is configured correctly with max-age \u2265 1 year, includeSubDomains, and preload.<\/p>\n\n\n\n<p>If everything checks out, your domain gets added to Chrome\u2019s preload list and eventually propagates to other browsers. Expect a delay of a few weeks for full rollout.<\/p>\n\n\n\n<p>Once you\u2019re on the list, though, it\u2019s almost impossible to remove. So, make sure your SSL and HTTPS setup are flawless before submitting \u2013 otherwise, you risk locking your site out of reach of your users.<\/p>\n\n\n\n<p>[SHIELD_CTA_BOX \/]<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">WordPress security beyond HSTS with Shield Security PRO<\/h2>\n\n\n\n<p>HSTS is a critical security header that forces browsers to always use HTTPS, but it\u2019s just one part of a broader security strategy. Shield Security PRO\u2019s <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-content-security-policy\/\">advanced HTTP headers<\/a> feature builds on HSTS to offer even more granular control over how browsers interact with your site.<\/p>\n\n\n\n<p>The <em>Block iFrames<\/em> option stops clickjacking by blocking your site from being embedded in malicious iframes. With custom rules, you can enable Content-Security-Policy (CSP) headers to stop malicious scripts from executing by specifying where resources can be loaded from \u2013 reducing the risk of cross-site scripting (XSS) attacks.<\/p>\n\n\n\n<p>Beyond security headers, Shield Security PRO offers a range of complementary features.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/help.getshieldsecurity.com\/article\/213-introduction-to-the-security-admin-system\">Security Admin<\/a> feature locks site-critical settings behind a PIN, while brute force protection blocks login attempts from malicious bots. <a href=\"https:\/\/getshieldsecurity.com\/blog\/wordpress-2fa\/\">Two-factor authentication<\/a> adds an extra layer of defence, making it harder for attackers to gain access even with stolen credentials.<\/p>\n\n\n\n<p>Together, these features create a comprehensive security suite that pairs perfectly with HSTS, making your WordPress site tough to compromise.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secure your WordPress site with Shield Security PRO today!<\/h2>\n\n\n\n<p>Implementing HSTS is an excellent first step in securing your WordPress site \u2013 you&#8217;re locking down HTTPS and ensuring encrypted communication. While HSTS handles protocol-level security, though, it doesn\u2019t protect against the broader threats that constantly target WordPress sites \u2013 malware, brute force attacks, and bot-driven exploits.<\/p>\n\n\n\n<p>That\u2019s why you need Shield Security PRO \u2013 the next logical step for anyone serious about security.<\/p>\n\n\n\n<p>Beyond securing your traffic, the plugin offers automatic malware scanning and removal via <a href=\"https:\/\/getshieldsecurity.com\/features\/malware-scanner\/\">MAL{ai}<\/a>, ensuring malicious code doesn\u2019t slip through the cracks. Its <a href=\"https:\/\/getshieldsecurity.com\/blog\/silentcaptcha-wordpress\/\"><em>silent<\/em>CAPTCHA technology<\/a> intelligently blocks malicious bots without impacting real users, while advanced login protection (including two-factor authentication) ensures only authorised users can get in.<\/p>\n\n\n\n<p>When combined with HSTS, these features create a truly comprehensive security solution for your WordPress site.<\/p>\n\n\n\n<p>To take the next step, <a href=\"https:\/\/getshieldsecurity.com\/pricing\/\">check out Shield Security PRO<\/a> today!<\/p>\n\n\n\n<p>[SHIELD_CTA_BOX \/]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Boost WordPress security with our step-by-step HSTS guide. Learn manual and plugin methods, best practices, and troubleshooting tips to protect your site from attacks.<\/p>\n","protected":false},"author":27,"featured_media":167715,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[153],"tags":[],"class_list":["post-167714","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-wordpress-solutions"],"acf":[],"_links":{"self":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/167714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/comments?post=167714"}],"version-history":[{"count":10,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/167714\/revisions"}],"predecessor-version":[{"id":167864,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/posts\/167714\/revisions\/167864"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media\/167715"}],"wp:attachment":[{"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/media?parent=167714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/categories?post=167714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/getshieldsecurity.com\/wp-json\/wp\/v2\/tags?post=167714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}