Welcome to Headers Security!
This guide will help you configure Headers Security Advanced & HSTS WP to secure your WordPress site in minutes.
Installation
- Go to WordPress Dashboard → Plugins → Add New
- Search for "Headers Security Advanced & HSTS WP"
- Click Install Now → Activate
- Navigate to Settings → Headers Security Advanced & HSTS WP
Two modes: Choose your experience
🟢 Beginner Mode (Default - Recommended)
No configuration needed! The plugin automatically:
- Enables HSTS with safe defaults
- Configures Content Security Policy for common WordPress setups
- Sets up Permissions-Policy headers
- Protects against clickjacking and XSS
- Works out-of-the-box with popular plugins (WooCommerce, contact forms, analytics)
Just activate and you're protected! No technical knowledge required.
Advanced Mode (For Power Users)
Want full control? Go to Settings → Headers Security Advanced & HSTS WP to customize:
CSP (Content Security Policy):
- Fine-tune which domains can load scripts, styles, images
- Whitelist specific third-party services
- Set strict, moderate, or permissive policies
- Adjust directives individually
HSTS Configuration:
- Set custom max-age duration
- Enable/disable preload and subdomains
- Control strict transport security behavior
Permissions-Policy:
- Control browser features (camera, geolocation, payment, etc.)
- Allow/block specific capabilities per domain
X-Frame-Options, Referrer-Policy, and more...
Testing your configuration
Verify Security Headers: Visit SecurityHeaders.com and scan your domain. You should see A or A+ rating!
Need Help?
Check console errors: F12 → Console tab → look for CSP violations
Post in support: Include your plugin version, WordPress version, and specific error messages
Test incrementally: Start with permissive settings, tighten gradually
Useful Resources
Plugin Page
Security Headers Explained
CSP Evaluator
