Plugin categories

Create a Website with AI
Security Headers

Security Headers

Plug-in to ease the setting of TLS headers for HSTS and similar

5

Rating summary

8

Reviews

5K

Active installations

Security Headers
Security Headers

Overview

Compatibility

Installation instructions

Customer support & learning resources

Changelog

Main benefits

Control HTTP headers easily

Enhance website security

Mitigate clickjacking risks

Ensure certificate transparency

Re-enable XSS protection

About this plugin

Categories: Security
Version: 1.1
Last updated: 26-02-2019
WordPress version: 3.8.1
Tested up to: 5.1.19
PHP version required: 5.6
Languages:

Overview

This WordPress plugin is designed to enhance the security of websites by offering crucial HTTP header management without the need to modify server configurations or use .htaccess files. It provides controls for implementing HSTS to enforce secure connections and prevent the bypassing of certificate warnings, and HPKP for an added layer of security beyond the Certificate Authority trust model. The plugin also facilitates disabling content sniffing to protect against unwanted file type interpretations, enabling XSS protection with a "block" option to thwart cross-site scripting attacks, and implementing X-Frame-Options to prevent clickjacking. Additionally, it offers configuration of Expect-CT to ensure Certificate Transparency, giving users the ability to protect their websites more comprehensively and maintain control over core security aspects directly from the WordPress admin interface.

HSTS (Strict-Transport-Security)

  • Ensures future connections to a website always use TLS.
  • Disallows bypass of certificate warnings for the site.
  • Enhances security by enforcing secure connections.

HPKP (Public-Key-Pins)

  • Provides an additional layer of security beyond the Certificate Authority trust model.
  • Helps prevent man-in-the-middle attacks by pinning trusted public keys.
  • Ensures that only specified public keys are accepted for the site.

Disabling Content Sniffing (X-Content-Type-Options)

  • Prevents browsers from interpreting files as a different MIME type.
  • Reduces risk of unexpected attacks from user-uploaded files.
  • Ensures that content is handled in a predictable manner.

XSS Protection (X-XSS-Protection)

  • Re-enables XSS protection if previously disabled by the user.
  • Sets the 'block' option to prevent silent ignoring of attacks.
  • Enhances site security by actively blocking cross-site scripting attacks.

Rating and reviews

5

Rating summary

8

Reviews

5K

Active installations

5
4
3
2
1

User sentiment analysis

Users appreciate this WordPress plugin for its ease of use, simple installation, and configuration, which contributes to easier website security management. It works effectively, enhancing website functionality, especially for those running SEO and HTTPS sites. Users also note that it helps streamline security by integrating crucial features. However, the plugin has a significant drawback in that it conflicts with the Tawk.to widget, preventing it from displaying on major browsers like Chrome, Firefox, and Safari, though it functions normally in Edge. Users also suggest future enhancements by incorporating Content-Security-Policy, Expect-CT options, and X-Frame-Options for a more comprehensive security solution.
krsi78

krsi78

14 May, 2020

Just a quick warning: if you enable this plugin, the Tawk.to widget is no longer displayed in Chrome, Firefox and Safari. Edge is not affected (yet?).
flch

flch

11 Feb, 2019

Works great and makes security much easier. Thanks for this great plugin!
tone_milazzo

tone_milazzo

21 Jun, 2018

My topic can’t be empty so I’m writing this to fill it.
bozon

bozon

20 Jun, 2017

Works really well! Tested with [link removed] For the future releases it would be good to include Content-Security-Policy and the forthcoming Expect-CT options. This topic was modified 7 years, 1 month ago by bdbrown. Reason: Links not permitted in reviews
WebBever

WebBever

26 May, 2017

Easy to use, works like a charm!

FAQ

What is the purpose of the TLS plugin?

How does HSTS improve website security?

What is HPKP and why is it important?

Why should I disable content sniffing?

What does XSS protection do?

How does the plugin help with clickjacking protection?

What is Expect-CT and its role in security?

Can I use this plugin on a shared IP address?