When someone visits your website, their browser and your server exchange a series of HTTP headers. Most of these are mundane — content type, cache rules, cookies. But a special class of security headers can dramatically reduce your exposure to some of the most common web attacks.
The problem? WordPress doesn’t set any meaningful security headers by default. That leaves your site and your visitors exposed to threats that security headers are specifically designed to prevent.
The Security Headers That Matter
X-Frame-Options
This header prevents your site from being embedded in an iframe on another domain. Without it, attackers can use a technique called clickjacking — overlaying your site in a hidden iframe on a malicious page, tricking visitors into clicking buttons or links they can’t see. Setting X-Frame-Options: SAMEORIGIN ensures your pages can only be framed by your own site.
X-XSS-Protection
This header activates the browser’s built-in cross-site scripting (XSS) filter. When the browser detects a potential XSS attack — injected scripts in the URL or form data — it blocks execution rather than rendering it. The recommended value is 1; mode=block.
HTTP Strict Transport Security (HSTS)
HSTS tells browsers to always connect to your site over HTTPS, even if someone types http:// or follows an HTTP link. This prevents protocol downgrade attacks and man-in-the-middle attacks that rely on intercepting unencrypted connections. Once a browser sees your HSTS header, it enforces HTTPS for the duration you specify — typically one year.
Content Security Policy (CSP)
CSP is the most powerful — and most complex — security header. It defines exactly which sources of scripts, styles, images, and other resources are allowed to load on your pages. A properly configured CSP makes it dramatically harder for injected scripts to execute, even if an XSS vulnerability exists in your site. Getting CSP right requires care (a misconfigured policy can break your site), but the protection it provides is substantial.
Referrer Policy
When a visitor clicks a link from your site to another site, their browser sends a Referer header revealing which page they came from. This can leak sensitive URL parameters, internal paths, or user session data to third parties. Setting a Referrer Policy header controls exactly how much referrer information is shared.
X-Content-Type-Options
This header prevents browsers from guessing (or “sniffing”) the content type of a response. Without it, a browser might interpret a text file as executable JavaScript if the content looks like code — a technique used in some injection attacks. Setting X-Content-Type-Options: nosniff disables this behavior.
Why WordPress Doesn’t Set These By Default
WordPress is built to be flexible and run in almost any environment. Setting aggressive security headers by default would break sites that embed WordPress pages in iframes, rely on certain third-party scripts, or mix HTTP and HTTPS content. So WordPress leaves header configuration to site owners — which means most sites never configure them at all.
Setting Security Headers with Trusti Security
Configuring security headers traditionally means editing your server configuration files — Apache’s .htaccess or Nginx’s nginx.conf. This requires server access, comfort with configuration syntax, and testing to make sure nothing breaks.
Trusti Security handles all of this from your WordPress admin panel. It includes a dedicated Security Headers module that lets you configure X-Frame-Options, X-XSS-Protection, HSTS, Content Security Policy, Referrer Policy, and X-Content-Type-Options without touching a single server file.
Each header can be enabled, configured, and tested from a simple interface. Trusti Security also shows you your current header configuration so you can see at a glance what’s protecting your site and what still needs attention.
How Security Headers Fit Into a Broader Strategy
Security headers are one layer of a complete WordPress security strategy. They protect your visitors’ browsers and prevent certain categories of attacks, but they work best alongside other protections: brute force prevention, two-factor authentication, vulnerability scanning, and IP blocking.
Trusti Security integrates all of these into a single plugin. Security headers are just one part of what it does — but they’re an important part, and one that most WordPress sites are missing entirely.