Documentation (main)
Our cheatsheet for diagnosing common WordPress emergencies.
Free support not enough? Try our paid support.

Security Headers

Technical explanation and recommendations for security headers.

  • My personal recommendations for most sites are to enable only these options: XML-RPC, Rest API, XSS, and 7G WAF.
  • Leave the rest disabled, unless you know how (they might) affect your site.
  • Even if all of these are off, your site will be fine under 99% of use cases.
  • There will always be silly guides online or “security tests” making clients feel vulnerable. I don’t argue with naive clients. You can follow my recommendations, or you can risk breaking your site functionality if you decide to cover every security vulnerability. (Sometimes sites will appear to work fine, but break suddenly later down the line. You have been warned!)
  • Done configuring? – test your security headers with SecurityHeaders.com.
  • Always remember to restart OLS after any .htaccess or server configuration changes.
  • If your .htaccess was accidentally reset, simply re-enable to toggle these back on again.
  • Yes, OpenLiteSpeed configuration rules function and appear different from other web-servers. That’s why following guides written for Apache/NGINX will not work. Almost all security headers (except for XMLRPC & 7G WAF) have to be put in your OLS vhost config…instead of .htaccess.

1. XML-RPC:

  • A protocol used to connect (and log) into your WordPress site through an app or service other than your browser.
  • Any lost functionality? Do you using any app or service to connect to your WordPress site? Like a mobile-app, 3rd-party backup service, etc? If not, you can safely disable this protocol. Easy way to test is disable it and see if anything breaks. Most sites are not using XML-RPC protocol.
  • How do hackers exploit XML-RPC protocol? – They DDOS attack it, hogging server resources and bringing your site/server down.
  • To block XML-RPC protocol – enable in site security settings, or copy the snippet below into your htaccess file.
RewriteEngine On
RewriteRule ^(.*)?xmlrpc.php(.*)$ - [F,L,NC] # BP security header - Disable XMLRPC
RewriteEngine On

2. Default Content Security Policy (CSP)

  • The CSP header tells browsers which resources, and from which domains they are allowed to load.
  • For example, your CSP header might specify all requests must be loading from your domain. Or that CSS and JS requests can only be loaded from your domain but not others.
  • This header must be custom-configured to your site needs or else it almost always breaks WordPress site functionality, even brand new installs! For example if you have special request types, or need to allow other domains (like for CDN or 3rd-party services)…then you must specify that in your CSP header. Otherwise, certain elements of your site may not load properly.
  • Recommended reading for more info on CSP.
  • To enable CSP – enable in site security settings, or manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations.
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;

3. HTTP Strict Transport Security (HSTS)

  • The HSTS header tells browsers to always connect to your site using HTTPS. This prevents MITM attacks or attacks targeting insecure HTTP connections.
  • Possible drawbacks? – if for any reason there is ever a lapse in your SSL certificate renewal or messy migration, your site will be completely blocked from access. (There is no browser “Advanced – proceed anyway” link.) For this reason, I personally hate HSTS security and feel it’s potentially a lot of problems.
  • To enable HSTS header – enable in site security settings, or manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

4. Default Referrer Policy

  • Sets your site domain as the “referrer” in the request header when clicking outbound links from your site. This is less about security and more about following GDPR regulations.
  • To enable Referrer-Policy header – enable in site security settings, or manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations.
  • Read more about Referrer Policy security header.
Referrer-Policy no-referrer, strict-origin-when-cross-origin;

5. Rest API

  • Rest API is an API used by developers to connect to WordPress installations from the outside, and request data.
  • How is Rest API exploited? It exposes an endpoint to the public world that can be DDOS attacked (and bring down your site/server). It’s not commonly exploited but it’s not a bad idea to close if you (or your themes and plugins) are not using Rest API.
  • How to disable Rest API – there are security headers you can add in .htaccess but the best way is via plugin. Try Disable Rest API or Disable WP Rest API. An htaccess method if you want to try. You should test that your site works fine (especially for any sites with plugins connecting to 3rd-party services).

6. X-Frame Options: SAMEORIGIN

  • This header prevents your site from loading frames or content from other domains. So hackers cannot load junk (from another site) into your site.
  • To enable X-Frame Options header – enable in site security settings, or manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations. Put the snippet on its own line. You cannot (should not) use both SAMEORIGIN & DENY. Pick just one.
X-Frame-Options "SAMEORIGIN";

7. X-Frame Options: DENY

  • Blocks your website from being embedded elsewhere. So others can’t fake your content and steal your clicks (“clickjacking”).
  • Any lost functionality? Yes, certain pages may not work. Test it.
  • To enable this X-Frame Options header – enable in site security settings, or manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations. Put the snippet on its own line. You cannot (should not) use both SAMEORIGIN & DENY. Pick just one.
X-Frame-Options "DENY";

8. Cross-Site-Scripting (XSS)

  • XSS (or X-XSS) security header tells your the browser to block any requests containing malicious scripts.
  • Any lost functionality? This one is pretty safe to use and doesn’t (shouldn’t) break any functionality.
  • To enable this XSS header – enable in site security settings, or copy snippet below to htaccess.
X-XSS-Protection "1; mode=block" always;

9. Default Permissions Policy

  • The Permissions Policy header decides what browser features the website can use on its own page or in embedded content. Example of browser features are: geolocation, video-autoplay, encrypted-media decoding, user’s camera/microphone, fullscreen, etc.
  • Any drawbacks? Kind of a pain to granularly block every nuanced setting. I’d say you can safely ignore this.
  • To enable Permissions Policy header – enable in site security settings, manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations. The snippet provided below is just our default but you can go to Header Operations to customize it for your needs. An easier (less technical) method is using Really Simple SSL plugin (PAID version) but I really hate slowing down your site with more plugins for these tiny things.
  • Customize your permissions policy with this Permissions Policy generator.
Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";

10. 7G WAF (web application firewall)

  • The 7G WAF security header (made by Jeff Starr) are a giant list of clever rules to block certain types of browser agents and browser requests that are known for malicious behavior. It blocks typical layer-7 DDOS attacks that hog server resources as well as application-level scans that attempt to execute malicious code.
  • To enable the 7G WAF security header – enable in Site settings (Security TAB), or copy the 7G firewall in your htaccess.
  • If you’re experiencing a suddenly slow site and lots of bot traffic or DDOS attack, enabling this can help drastically!

11. X-Content-Type-Options

  • Not officially automated through BlaqPanel. But the snippet is here if you’re trying to satisfy random security header tests.
  • The X-Content-Type-Options header stops the browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. MIME-sniffing is used by hackers who disguise backdoor files under another content-type/extension and then try to request/run it from the browser.
  • Manually copy snippet below to OLS console > Virtual Hosts > Context (tab) Header Operations.
X-Content-Type-Options: nosniff