Knowledgebase

How to Enable HSTS Header on Wordpress? Print

  • wordpress, security, https, hsts
  • 559

Throughout this guide, you'll learn how to enable the HTTP Strict Transport Security (HSTS) on a Wordpress based website. 

The HSTS header instructs the browsers to only load your website through HTTPS while having a valid certificate. 

On the top of conveying a trust factor, it is an active protection against some of the"man-in-the-middle" attacks vector. 

This article presuppose that you have an active SSL certificate either premium or free but with automatic renewals and that your website is either hosted with us or running under Apache or LiteSpeed.

To proceed follow the steps below: 

1 - Login to your favorite FTP Client or Wordpress File Manager 

2 - Open the .htaccess at the root of your website folder (in public_html if cPanel) 

3 - Append the following code which would set the right 301 redirection and activate HSTS: 

For www websites: 

 # Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]

# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var) Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS


For non-www websites:
# Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]

# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS


4- You may now submit your website over https://hstspreload.org/. It will add your website in a hardcoded lists of domains supporting the HSTS in Google Chrome. The list is replicated over others browsers as well. 

That's it! Your Wordpress website now supports the HTTP Strict Transport Protocol (HSTS).


Was this answer helpful?

« Back

Start typing and press Enter to search