Estimated reading time: 3 minutes
Implementing website security correctly is critical including HTTP Strict Transport Security (HSTS). There are different ways to ensure website security for small business. Besides, you can enable the HSTS security header in your HTTPS website to protect your website from hackers.
HTTP Strict Transport Security (HSTS) is a web security mechanism that protects websites against man-in-the-middle attacks and cookie hijacking. It allows web servers to automatically make web browsers use only secured HTTPS connections instead of unsecured HTTP connections. This prevents hackers from using HTTP and tricking your website visitors into thinking they are still communicating with your website. This also prevents hackers from stealing a session cookie over an HTTP connection.
To enable HTTP Strict Transport Security in your WordPress website, you need to add the following code into your website child theme’s functions.php file. If you are not using a child theme, you may use Code Snippets plugin otherwise future theme updates will override your code.
Besides, you will need to preload HSTS by submitting your website on the HSTS preloading website. This form is used to submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list. Firefox, Opera, Safari, IE 11 and Edge also have HSTS preload lists based on the Chrome list.
To be accepted to the HSTS preload list, your website must satisfy the following requirements:
function tg_enable_strict_transport_security_hsts_header_wordpress() {
header( 'Strict-Transport-Security: max-age= 31536000; includeSubDomains; preload' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );
Once you add the code, you can check if HSTS is working on your website on SSL Server Test by Qualys by entering your website URL. It is a free online service analyzing the configuration of any SSL web server on the Internet. You will see the following in your result.
Good job! You have just enabled HSTS on your website. From now on, your website will be protected against man-in-the-middle attacks and cookie hijacking for enhanced website security.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |