• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Thomas Griffin

Be a better leader

  • About
  • Newsletter
  • Articles
  • Business
  • Favorites
  • Contact

How to Enable HTTP Strict Transport Security (HSTS) in WordPress

Thomas Griffin Avatar
written byThomas Griffin
last modifiedJanuary 29, 2023

I embarked on moving my WordPress site completely to SSL, and part of that process was using the HTTP Strict Transport Security (HSTS) header on the site.

With all of the security breaches that we have seen just this past year, it makes total sense to want to move everything over to SSL. Google is already starting to favor SSL sites in search results, and it provides more confidence for your visitors when they see that your site is secured via SSL.

I had already done 301 redirects from non-SSL to SSL pages on my site, but I wanted to make sure that all pages and queries moving forward would automatically be sent and received as SSL. You can force this in browsers by adding in the Strict Transport Security header to each of your page requests in WordPress.

How to Enable HTTP Strict Transport Security (HSTS) in WordPress

To do this, we will target the send_headers action hook, which is used to add additional headers to your outgoing HTTP responses. It may be obvious or not, but you will need to ensure your site has a functioning SSL certificate for this implementation to work! Just drop the following code into your theme’s functions.php file and you will have enabled HTTP Strict Transport Security (HSTS) to your WordPress site.

/** 
 * Enables the HTTP Strict Transport Security (HSTS) header in WordPress. 
 */ 
function tg_enable_strict_transport_security_hsts_header_wordpress() {
    header( 'Strict-Transport-Security: max-age=31536000' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );

This adds the Strict Transport Security header for 1 year, which is required if you want to eventually be eligible for HSTS preloading in browsers like Chrome, Firefox and Safari.

Exclusive WordPress Offer

Want a WordPress website that’s secure AND fast? My friends at WP Engine are offering 3 months free on all annual plans. Click here to claim your special WP Engine offer!

HSTS Preloading

By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list.

Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.

If you want to enable this for your site, there are a few requirements before you can make that trigger.

  1. Have a valid SSL certificate. You can’t do any of this anyways without it.
  2. You must redirect all HTTP traffic to HTTPS (recommended via 301 permanent redirects). This means that your site should be HTTPS only.
  3. You must serve all subdomains from HTTPS as well. If you have subdomains, you will need a wildcard SSL certificate for this.
  4. Serve an HSTS header on the base domain (e.g. thomasgriffin.com) that meets the following requirements:
    1. The expiration length must be at least 1 year.
    2. The includeSubDomains token must be specified in the header.
    3. The preload token must be specified in the header.
    4. If you are serving a redirect, that redirect must have the HSTS header too, not just on the pages it redirects to.

Once you have met all these requirements, you can use this code in your functions.php file instead to support HSTS preloading.

/** 
 * Enables the HTTP Strict Transport Security (HSTS) header in WordPress.
 * Includes preloading with subdomain support. 
 */ 
function tg_enable_strict_transport_security_hsts_header_wordpress() {
    header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );

Now when visitors come to your site, the browser will be notified that you want to be on the preload list. Assuming that you meet all the requirements, you should see your site loaded in that list within a few months.

If you want to check your site’s preload status, you can do it here: https://hstspreload.org/

That should be it! You have now enabled HTTP Strict Transport Security on your WordPress site!

FacebookTweetLinkedIn
Thomas Griffin Avatar
Thomas Griffin

Hello! I'm Thomas, and I've been in WordPress for 10+ years. I've contributed to core and created the TGM Plugin Activation class. My WordPress plugins are active on over 19,000,000 websites and include popular ones like OptinMonster, WPForms and MonsterInsights.

View my WordPress toolbox•More about me →

Reader Interactions

Comments

  1. Samuel Nwaokoro

    July 24, 2021

    Hi Thomas, Great article!

    I think it will be best to enable HSTS on the server level using “.htacess” you save resources from WP loading init first and you also prevent early access to HTTP resources before plugins are loaded.

    Reply
    • Thomas Griffin

      August 13, 2021

      Hey Samuel,

      I agree that that is the best path, but for most people, it’s neither practical or available. This option of enabling HTTP Strict Transport Security (HSTS) in WordPress is available to everyone and provides the same benefits.

      Reply

Trackbacks

  1. sites using strict transport security crawler ninja - dataslist says:
    May 13, 2022 at 12:07 am

    […] How to Enable HTTP Strict Transport Security (HSTS) in … […]

    Reply
  2. My 2021 Year in Review - Thomas Griffin says:
    November 28, 2022 at 10:59 am

    […] most popular article by traffic was how to enable HSTS Strict Transport Security in WordPress, followed closely by the difference between a mission statement and a vision […]

    Reply

Leave a Reply to My 2021 Year in Review - Thomas Griffin Cancel reply

Your email address will not be published. Required fields are marked *

previous article: How to Include Custom Post Types in WordPress Search Results
next article: Words of Wisdom for My Sons
Breakthrough Leadership: 5 Surprisingly Simple Qualities of Today's Exceptional Leader

Breakthrough Leadership

Great leaders share common traits that separate them from the pack. Download your copy of my signature ebook, Breakthrough Leadership: 5 Surprisingly Simple Qualities of Today's Exceptional Leader, absolutely FREE when you enter your name and email address below.

The way to get started is quit talking and begin doing.

Walt Disney

Footer

ThomasGriffin.com Logo

Copyright © 2010-2023 Griffin Media LLC.
All rights reserved.

Connect

Sites I Like
OptinMonsterTrustPulseWPFormsMonsterInsightsWPBeginnerEclectic TigerSyed BalkhiAwesome MotiveT214

Misc
WordPressPrivacyDisclosures Sitemap

The Better Leader Newsletter

The Better Leader Newsletter

Join 6,889+ leaders taking the right steps to grow in their leadership. No spam - just real, thought-provoking stories and advice to make you a better leader. Grow in your leadership by subscribing today!