How to Enable HSTS Header on Wordpress?


Throughout this guide, you'll learn how to enable the HTTP Strict Transport Security (HSTS) on a Wordpress based website. 

The HSTS header instructs the browsers to only load your website through HTTPS while having a valid certificate. 

On the top of conveying a trust factor, it is an active protection against some of the"man-in-the-middle" attacks vector. 

This article presuppose that you have an active SSL certificate either premium or free but with automatic renewals and that your website is either hosted with us or running under Apache or LiteSpeed.

To proceed follow the steps below: 

1 - Login to your favorite FTP Client or Wordpress File Manager 

2 - Open the .htaccess at the root of your website folder (in public_html if cPanel) 

3 - Append the following code which would set the right 301 redirection and activate HSTS: 

For www websites: 

 # Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]

# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var) Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS


For non-www websites:
# Set HSTS env var only if HTTPS
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=HSTS:1]

# Redirect HTTP to HTTPS on the same host
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Redirect non-www to www (HTTPS only)
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Set HSTS header conditionally if request is over HTTPS only (based on HSTS env var)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HSTS


4- You may now submit your website over https://hstspreload.org/. It will add your website in a hardcoded lists of domains supporting the HSTS in Google Chrome. The list is replicated over others browsers as well. 

That's it! Your Wordpress website now supports the HTTP Strict Transport Protocol (HSTS).


Contact Us

Your message has been sent!

Thank you! We’ll take a look at your request and get in touch with you as quickly as possible.

Let us know what you’re looking for by filling out the form below, and we’ll get back to you promptly during business hours!





    Start typing and press Enter to search