Best practice to secure your cookies and stop downgrade attacks is HTTP Strict Transport Security (HSTS) in WordPress.
It prevents your website from cookie hijacking and other attacks by allowing only secure connections through HTTPS.
So, one required thing is an SSL certificate and must be installed on your website.
If you don’t have an SSL certificate, then you must install a one on your website.
HSTS is a header protocol which lets the browser to make secure communication through HTTPS.
Why Should I Use HTTP Strict Transport Security (HSTS) In WordPress??
HSTS isn’t a concept of the 1990s but was specified back in 2012 by IETF.
So you might ask, “Why should I use it”?
Let’s have a look at the benefits of using HSTS.
- If a user tries to view non-secure version i.e; HTTP, he will be automatically redirected to secure version.
- It can save your website cookies from attackers. Cookie hijacking can be stopped by this way.
- Doesn’t allow the overriding of invalid certificate message.
Now let’s see how we can enable it on WordPress?
How To Implement HSTS on WordPress site?
To add HSTS header to HTTP requests, we have to apply the directive to the webserver. Then the web server automatically adds it to HTTP requests.
It is a kind of redirect, just like 301. So, you may ask, “If I have 301 redirections enabled, can I use it?“
Those of you who are worried about their SEO shouldn’t get panic because Google’s Security Team officials said that you could use the HSTS header with 301 redirects.
So, this Header doesn’t have only one directive but many. In the following codes, we are applying one instruction.
Implement HSTS in Apache
If your WordPress website runs on the Apache web-server, you can edit your .htaccess file.
Inside the file and on bottom, add this code.
Header always set Strict-Transport-Security max-age=31536000
Also, you can omit the word
always in above code.
Implement HSTS In NGINX
If you are running your website on NGINX, then you don’t have any .htaccess file because it isn’t Apache.
What you have to do is to find the nginx.conf (NGINX Configuration file) file.
Inside it, locate the
server block and add this directive to it.
add_header Strict-Transport-Security max-age=31536000
That is how you add or implement HSTS in WordPress powered website.
Now lets see other directives.
Preload HSTS Directive
HSTS Preloading is a mechanism of enforcing the use of the SSL/TLS before any connection is made.
There is a list of hosts which is compiled by big giant Google and utilize it in Chrome. Other browsers like Safari, Firefox, Opera, etc. also use this list.
To get on the list, you have to submit it through this site. https://hstspreload.appspot.com/
Before submitting your website to be listed in the preload list, please do check these things. If you met these requirements, then you will be added to the preload list.
- Must have SSL/TLS installed.
- Serve the base domain and all subdomains over HTTPS.
- HSTS should be specified to all sub-domains also.
- Must have an expiry directive (at least one year).
- Must have
To do all the above things, just put this line inside your .htaccess file.
<IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS </IfModule>
Remember to remove the HSTS code in
.htaccess if you applied that earlier.
How To Verify HSTS Header?
There are different ways to check whether your site is sending HSTS Header or not.
The best way is to check through the inspect tool of the web browser.
Open your base website and
Under the Inspect Tool, you will notice the Network tab. Under it, click the base domain and check Headers. A real-life example is below.
Now the HSTS Header is successfully applied to our website. Now let’s discuss the browsers which support it.
Browsers Who Support HSTS
Here is the list of the browsers who support HSTS.
- Opera Mini
- Chrome Android
- IOS Safari
Does HSTS have an Impact On SEO?
Once your website is approved to be in the preload list, you are going to receive lots of notices regarding 307 redirects.
The reason is, your visitors are trying to view the non-HTTPS version, but they are sent to it.
So, What is 301 AND 307?
301 Redirect: It is permanent redirection at the server level.
307 Redirect: It is a temporary redirection at the browser level.
Don’t worry; 301 redirects are still happening at the server level, but it shows 307 re-directions.
So we can say “HSTS has no impact on SEO”.
It was all about How To Implement HTTP Strict Transport Security (HSTS) In WordPress.
I hope you enjoyed this tutorial. Please do share it with your friends. Also, don’t forget to leave a comment and subscribe to our YouTube channel.