Add Security Headers to WordPress with WP Ghost (HSTS, CSP, X-Frame-Options)
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Add seven HTTP security headers to your WordPress site with one toggle in WP Ghost. Security headers tell browsers how to handle your site’s content, preventing XSS attacks, clickjacking, MIME type sniffing, and protocol downgrade attacks.
How to Enable Security Headers in WP Ghost
Go to WP Ghost > Firewall > Header Security. Switch on Add Security Headers for XSS and Code Injection Attacks. Click Save.
This enables all seven headers at once. After enabling, test your headers at SecurityHeaders.com to verify they are active.
Security Headers Reference
| Header | What it prevents | Value |
|---|---|---|
| Strict-Transport-Security (HSTS) | Protocol downgrade attacks, cookie hijacking | max-age=31536000; includeSubDomains; preload |
| Content-Security-Policy (CSP) | XSS, unauthorized script execution | Customizable per site (see CSP tutorial) |
| X-Frame-Options | Clickjacking | SAMEORIGIN |
| X-XSS-Protection | Reflected XSS (legacy browsers) | 1; mode=block |
| X-Content-Type-Options | MIME type sniffing | nosniff |
| Cross-Origin-Embedder-Policy (COEP) | Data leaks through embedded content | require-corp |
| Cross-Origin-Opener-Policy (COOP) | Cross-origin information leaks, Spectre attacks | same-origin |
Content-Security-Policy (CSP)
CSP is the most powerful and most complex header. It controls which sources can load scripts, styles, images, and fonts on your pages. A restrictive CSP can block legitimate third-party scripts (Google Analytics, payment gateways, live chat). Test thoroughly after enabling. If a feature breaks, add the required domain to the appropriate CSP directive. See the Content Security Policy tutorial for examples and configuration.
Troubleshooting
A third-party service stopped working. Most likely CSP is blocking that domain’s scripts. Open browser DevTools Console (F12) to see which domain was blocked. Add it to the appropriate CSP directive in WP Ghost.
Page builder preview or iframes not loading. X-Frame-Options may be set to DENY. Change it to SAMEORIGIN to allow framing by your own domain.
Frequently Asked Questions
Which headers should I enable?
All of them. WP Ghost enables all seven with a single toggle. CSP is the only one that typically needs customization for third-party services.
Do security headers affect performance?
No. Security headers are a few bytes in the HTTP response with zero impact on load time, rendering, or server performance.
Do security headers affect SEO?
Not directly. HSTS contributes to HTTPS enforcement which is a Google ranking signal. Google Lighthouse checks for security headers in its audit.
Does WP Ghost modify WordPress core files?
No. Headers are added through server configuration and PHP output. Disabling removes all headers instantly.
