How to Implement a WordPress Security Headers Plugin to Protect You WordPress Instalation - Wordpress Secure Headers Helper package blog

In this article you will learn about:

Introduction to Security Related HTTP Headers

Many users and developers that make part of the WordPress community finally realized that having a SSL certificate gives us more than just a "lock" icon in the browser. Configuring Web server security can be more useful than just setting SSL certificates.

You may have heard about security related headers, things like X-Frame-Options or Expect-CT. But what are those headers? And what is the best way of configuring them?

To be brief, all of those headers allow us to establish rules for HTTP requests in way that it is possible to avoid specific types of attacks.

The X-Frame-Options header, for instance, provide clickjacking protection, while Strict-Transport-Security protects against main-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

What Are the Secure HTTP Headers You Should Use in Your WordPress

If your web site or application uses a SSL certificate, you should be using and configuring security headers that might be preventing your app from several types of attacks.

But before diving into the coding, let's recap what are those headers, and the reason for using each one of them. Here follows some information from the site: https://securityheaders.com/ .

As we are mostly talking about WordPress here, some of those HTTP headers can be configured with obvious values. In other words, for some of those headers, values will be basically the same for almost any WordPress Web site or application.

So, if we are thinking about building a script for implementing them, part of the headers can be assumed as constant. With that in mind, let's move to the next step:  a class or library to set the basic headers automatically (for those usually constant) and configure the remaining.

How to Send the Important HTTP Headers with WordPress Pages 

The developers that want to extend WordPress capabilities can use two different types hooks for including or managing HTTP headers: the action send_headers and the filter wp_headers.

In theory, HTTP headers could be added and managed using any of these types hooks. However, we tend to use more on the action, rather than the filter.

The difference in the code that we need to use with each type of hook is simple. If you opt for the filter, that means you will need to use a function that passes one argument, the $headers array, add or modify the elements in that array and returns a new array as a result. You should also check if the current request is sent via HTTPS.

if (! empty($_SERVER['HTTPS'])) {
  function add_secure_header($headers) {
    $headers['strict-transport-security'] = 'max-age=31536000; includeSubDomains';
    return $headers;
  }

add_filter('wp_headers', 'add_secure_header');
}

The same effect can be achieved by using a WordPress action. However, it is not necessary for passing any arguments to the callback function. That function does not have a return value. In this case, the code would look like this:

if (! empty($_SERVER['HTTPS'])) {
  function add_secure_headers() {
    header( 'Strict-Transport-Security: max-age=10886400' );
  }
  add_action( 'send_headers', 'add_secure_headers' );
}

Easy, huh? Add all those headers and the respective values, hook your function using either the action or the filter and you are done. But could it be more automatic and, at the same time, use a better PHP code style?

How to Use a PHP Class to Organize Better the Secure HTTP Header Sending in WordPress

The idea is simple. We can use a class to add all obvious secure headers automatically, as well modify their values or add new headers.

I have implemented this approach like this. For the first part of our class, we add a variable that holds all headers and values and already brings some of them by default.

The class adds a hook to the WordPress send_headers action. The class has functions to set headers in addition to those already listed. It can also return a list of all headers using the variable $toApply.

class Headers {

    public $toApply = [
    	'X-Frame-Options' => 'SAMEORIGIN',
    	'X-Content-Type-Options' => 'nosniff',
    	'X-XSS-Protection' => '1; mode=block',
    	'Referrer-Policy' => 'no-referrer-when-downgrade',
    	'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains',
    ];
    //...

    public function set(string $header, string $value) {
    	$this->toApply[$header] = $value;
    }

    public function list() {
    	return $this->toApply;
    }
}

This logic allows you to create a simple solution for adding HTTP headers to any Web site. The only thing you need is to copy this class or requiring it using Composer.

wp-secure-headers(this link opens in a new window)by carloswph(this link opens in a new window)

1 Subscriber 1 Watcher 0 ForksCheck out this repository on GitHub.com(this link opens in a new window)

This class is to be updated in the future to allow a better configuration of the secure headers individually. Some improvements regarding cookies should be also implemented eventually.

Check the Github repo it worth looking at this approach, as those several lines and details can be set up in WordPress with no more than the code below.

use WPH\Security\Headers;

require __DIR__ . '/vendor/autoload.php';

$sec_headers = new Headers();
$sec_headers->set('Content-Security-Policy', 'connect-src "self"');