Production-ready .htaccess security headers for WordPress. Strong protection with full compatibility for embeds, iframes, and external content (YouTube, Twitter, Google services). Requires HTTPS. Includes CSP, HSTS, XSS protection, and secure cookies.
<IfModule mod_headers.c>
# Permissions Policy - Less restrictive
Header always set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
# X-Frame-Options - Allow same origin for WordPress admin
Header set X-Frame-Options SAMEORIGIN
# XSS Protection
Header set X-XSS-Protection "1; mode=block"
# Cross-Domain Policies
Header set X-Permitted-Cross-Domain-Policies "none"
# Referrer Policy
Header set Referrer-Policy "strict-origin-when-cross-origin"
# Content Type Options
Header always set X-Content-Type-Options "nosniff"
# Secure Cookies
Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure; SameSite=Lax"
# HSTS (HTTP Strict Transport Security)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Remove server info
Header always unset X-Powered-By
</IfModule>
Installation
- Backup your existing
.htaccessfile - Open your
.htaccessfile (in WordPress root directory) - Add this code at the top (before WordPress rewrite rules)
- Save and test your site thoroughly
Testing
- Check all pages, forms, and admin area
- Open browser console (F12) and look for CSP errors
- Test contact forms and login functionality
Features
- ✅ Allows all HTTPS embeds (YouTube, X, Google Maps, etc.)
- ✅ No manual domain whitelisting needed
- ✅ Secure cookies with HTTPOnly & SameSite
- ✅ HSTS protection (forces HTTPS for 1 year)
- ✅ XSS & clickjacking protection
- ✅ Works with all popular themes & plugins