How To Enable HTTP Strict Transport Security in WordPress

Learn how to enable HSTS

HTTP Strict Transport Security (HSTS) is a response header which ensures that browsers and user agents always connect to your WordPress blog over HTTPS even if a protocol is not specified.

It is works like a 301 redirect, but at the browser level.

HSTS header tells the browser to connect the current domain only over HTTPS.

This makes HSTS far better than 301 redirects, which are unsecure during their first visit.

Currently major browsers like Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari, Opera support HTTP Strict Transport Security (HSTS).

kinsta managed wordpress hosting
Pay Yearly, Get 2 Months FREE

HTTP Strict Transport Security (HSTS) Benefits

  • Helps prevent man-in-the-middle attacks and cookie hijacking.
  • Helps avoid mixed content issue.
  • Does not allow a user to override the invalid certificate warnings.
  • Can be preloaded via browsers by listing your domain.
  • To avoids insecure redirects from HTTP to HTTPS.
  • Also improves WordPress blog speed by eliminating a redirect.

Enable HTTP Strict Transport Security (HSTS) on htaccess

# Enable HSTS on WordPress blog
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

The “max-age” flag specifies the time in seconds this policy is cached in the browser.

The “includeSubDomains” flag instructs browsers to apply this policy to all sub domains as well.

convertkit email marketing tool
14 Days Free Trial

The “preload” flag indicates that the site wants to be added to the HSTS preload list.

“env=HTTPS” ensures that HSTS is only enabled on secure [https] version and not on unsecure [http] version of your WordPress blog.

Enable HTTP Strict Transport Security (HSTS) on Nginx

# Enable HSTS on WordPress blog
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;

Example of HTTP Strict Transport Security (HSTS)

Want to see HSTS in action?
Just type in Google Chrome browser.
And you will see secure version of my WordPress blog.

Live Chat Software
Improve Sales & Service with Chat & Ticketing System

Today you learned How To Enable HTTP Strict Transport Security (HSTS) in WordPress.

WordPress Consultant

If you want to enable HSTS on your site, contact me.