I embarked on moving my WordPress site completely to SSL, and part of that process was using the HTTP Strict Transport Security (HSTS) header on the site.
With all of the security breaches that we have seen just this past year, it makes total sense to want to move everything over to SSL. Google is already starting to favor SSL sites in search results, and it provides more confidence for your visitors when they see that your site is secured via SSL.
I had already done 301 redirects from non-SSL to SSL pages on my site, but I wanted to make sure that all pages and queries moving forward would automatically be sent and received as SSL. You can force this in browsers by adding in the Strict Transport Security header to each of your page requests in WordPress.
To do this, we will target the send_headers action hook, which is used to add additional headers to your outgoing HTTP responses. It may be obvious or not, but you will need to ensure your site has a functioning SSL certificate for this implementation to work! Just drop the following code into your theme’s functions.php file and you will have enabled HTTP Strict Transport Security (HSTS) to your WordPress site.
/**
* Enables the HTTP Strict Transport Security (HSTS) header in WordPress.
*/
function tg_enable_strict_transport_security_hsts_header_wordpress() {
header( 'Strict-Transport-Security: max-age=31536000' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );
This adds the Strict Transport Security header for 1 year, which is required if you want to eventually be eligible for HSTS preloading in browsers like Chrome, Firefox and Safari.
Want a WordPress website that’s secure AND fast? My friends at WP Engine are offering 3 months free on all annual plans. Click here to claim your special WP Engine offer!
HSTS Preloading
By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list.
Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.
If you want to enable this for your site, there are a few requirements before you can make that trigger.
- Have a valid SSL certificate. You can’t do any of this anyways without it.
- You must redirect all HTTP traffic to HTTPS (recommended via 301 permanent redirects). This means that your site should be HTTPS only.
- You must serve all subdomains from HTTPS as well. If you have subdomains, you will need a wildcard SSL certificate for this.
- Serve an HSTS header on the base domain (e.g. thomasgriffin.com) that meets the following requirements:
- The expiration length must be at least 1 year.
- The
includeSubDomainstoken must be specified in the header. - The
preloadtoken must be specified in the header. - If you are serving a redirect, that redirect must have the HSTS header too, not just on the pages it redirects to.
Once you have met all these requirements, you can use this code in your functions.php file instead to support HSTS preloading.
/**
* Enables the HTTP Strict Transport Security (HSTS) header in WordPress.
* Includes preloading with subdomain support.
*/
function tg_enable_strict_transport_security_hsts_header_wordpress() {
header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );
Now when visitors come to your site, the browser will be notified that you want to be on the preload list. Assuming that you meet all the requirements, you should see your site loaded in that list within a few months.
If you want to check your site’s preload status, you can do it here: https://hstspreload.org/
That should be it! You have now enabled HTTP Strict Transport Security on your WordPress site!
Hi Thomas, Great article!
I think it will be best to enable HSTS on the server level using “.htacess” you save resources from WP loading init first and you also prevent early access to HTTP resources before plugins are loaded.
Hey Samuel,
I agree that that is the best path, but for most people, it’s neither practical or available. This option of enabling HTTP Strict Transport Security (HSTS) in WordPress is available to everyone and provides the same benefits.