Enable HSTS WordPress Strict Transport Security (HSTS) on your WordPress website enhances security by instructing browsers to only load your site over HTTPS, provided a valid SSL certificate is present. Beyond fostering user trust, HSTS actively defends against man-in-the-middle attacks.
This guide assumes:
- You have an active SSL certificate with automatic renewals.
- Your website is hosted with us or is running under Apache or LiteSpeed.
To Enable HSTS WordPress , follow these detailed steps:
Step 1: Access Your Site via FTP or WordPress File Manager
- Login to your preferred FTP client or access your WordPress File Manager.
Step 2: Locate and Edit the .htaccess File
- Navigate to the root directory of your website, typically found in public_html if you’re using cPanel.
- Open the .htaccess file for editing.
Step 3: Append the Necessary Code
Depending on whether your website uses www or non-www, append the relevant code snippets to your .htaccess file to set up the correct 301 redirects and activate HSTS.
For www websites:
Apache
# Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]
# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS
For non-www websites:
Apache
# Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]
# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS
Step 4: Submit Your Website for HSTS Preload List Inclusion
Once you have configured HSTS:
- Submit your website to hstspreload.org. This adds your domain to a list of pre-loaded HSTS sites in Google Chrome, ensuring broader browser support.
Conclusion
You’ve successfully enabled HTTP Strict Transport Security (HSTS) on your WordPress website, enhancing both security and user trust.
