How to Enable HSTS Header on Wordpress?

Throughout this guide, you'll learn how to enable the HTTP Strict Transport Security (HSTS) on a Wordpress based website. 

The HSTS header instructs the browsers to only load your website through HTTPS while having a valid certificate. 

On the top of conveying a trust factor, it is an active protection against some of the"man-in-the-middle" attacks vector. 

This article presuppose that you have an active SSL certificate either premium or free but with automatic renewals and that your website is either hosted with us or running under Apache or LiteSpeed.

To proceed follow the steps below: 

1 - Login to your favorite FTP Client or Wordpress File Manager 

2 - Open the .htaccess at the root of your website folder (in public_html if cPanel) 

3 - Append the following code which would set the right 301 redirection and activate HSTS: 

For www websites: 

 # Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]

# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var) Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS


For non-www websites:
# Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]

# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS


4- You may now submit your website over https://hstspreload.org/. It will add your website in a hardcoded lists of domains supporting the HSTS in Google Chrome. The list is replicated over others browsers as well. 

That's it! Your Wordpress website now supports the HTTP Strict Transport Protocol (HSTS).

  • wordpress, security, https, hsts
  • 557 Users Found This Useful
Was this answer helpful?

Related Articles

How to Create Custom Error Pages

This tutorial will teach how to create custom Error Pages. Create error pages for 404 Not...

How To Install and Uninstall FrontPage Extensions

This tutorial will show you how to install and uninstall FrontPage extensions. Please note...

How To Set Up A Cron Job

This tutorial is going to show you how to setup a cron job in cPanel the easy way. You can set...

Using Index Manager

This tutorial will teach about using the Index Manager. The Index Manager allows you to...

What is an MX Record

The purpose of this tutorial is to assist you in understanding what MX (mail exchange) records...