Security Headers & Caching

User Documentation - Version 7.4

WordPress Plugin for Security Headers and Caching Management

Table of Contents

1. Introduction

Security Headers & Caching is a professional WordPress plugin developed by Studio Be4 to improve your website's security and performance through the implementation of HTTP Security Headers and intelligent cache management.

What are Security Headers?

Security Headers are HTTP headers that the server sends to the browser to communicate how to handle the site's content. They help protect against common attacks such as Cross-Site Scripting (XSS), Clickjacking, and Code Injection.

Key Features

2. Installation

Automatic Installation (Recommended)

  1. Log in to your WordPress admin panel
  2. Go to Plugins → Add New
  3. Search for "Security Headers & Caching"
  4. Click "Install Now"
  5. After installation, click "Activate"

Manual Installation

  1. Download the plugin ZIP file
  2. Log in to your WordPress admin panel
  3. Go to Plugins → Add New → Upload Plugin
  4. Select the downloaded ZIP file and click "Install Now"
  5. After installation, click "Activate"

FTP Installation

  1. Download and extract the plugin ZIP file
  2. Upload the security-headers-caching folder to /wp-content/plugins/
  3. Log in to your WordPress admin panel
  4. Go to Plugins and activate "Security Headers & Caching"

3. Configuration

After activating the plugin, follow these steps to configure it:

  1. In the WordPress menu, click on "Security Headers"
  2. On the configuration page you will see all available options
  3. Enable the security headers you want to use
  4. Configure the policies according to your needs
  5. Set the cache duration (optional)
  6. Click "Save Settings"

Recommended Configuration

For most websites, we recommend enabling all security headers with the default settings. These settings offer a good balance between security and compatibility.

Configuration Options

Option Description Default Value
Enable Security Headers Master switch to enable/disable all headers Enabled
Enable HSTS Enable Strict-Transport-Security Enabled
Enable XSS Protection Enable X-XSS-Protection Enabled
Enable X-Frame-Options Prevents clickjacking Enabled
Enable X-Content-Type-Options Prevents MIME sniffing Enabled
Content Security Policy Custom CSP policy upgrade-insecure-requests
Referrer Policy Control referrer information strict-origin-when-cross-origin
Permissions Policy Control browser permissions geolocation=self
Cache Duration Cache duration in seconds 0 (disabled)

4. Security Headers Explained

X-Powered-By

Automatically removes the X-Powered-By header which reveals information about the server and technology being used. This prevents targeted attacks based on known vulnerabilities of specific software versions.

Content-Security-Policy (CSP)

Controls which resources can be loaded on your site. Prevents XSS (Cross-Site Scripting) attacks by limiting the execution of unauthorized scripts.

Advanced configuration example: 
default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com; style-src 'self' 'unsafe-inline'

Strict-Transport-Security (HSTS)

Forces browsers to use only HTTPS connections. Protects against man-in-the-middle attacks and protocol downgrade.

⚠️ Warning: Only enable HSTS if your site has a valid and working SSL certificate. Once enabled, browsers will remember this setting for 1 year.

X-XSS-Protection

Enables the XSS filter built into older browsers. Although deprecated in modern browsers in favor of CSP, it still provides additional protection for legacy browsers.

X-Frame-Options

Prevents clickjacking by preventing your site from being embedded in iframes on other domains. The plugin automatically sets this header to SAMEORIGIN.

X-Content-Type-Options

Prevents MIME sniffing by preventing browsers from interpreting files differently from the declared MIME type. Protects against attacks based on malicious file uploads.

Referrer-Policy

Controls how much referrer information is shared when users navigate from your site to other sites.

Available options:

Permissions-Policy

Controls which browser features and APIs can be used on your site. Helps prevent unauthorized use of features like geolocation, microphone, camera, etc.

Example: geolocation=(), microphone=(), camera=() completely blocks access to these features.

5. Cache Management

The plugin offers granular control over browser cache through Cache-Control headers.

Cache Configuration

In the Cache Duration field you can specify how long (in seconds) the browser should cache your site's resources.

Value Duration Recommended Use
0 Disabled Development sites or sites with very dynamic content
3600 1 hour Sites with frequent updates
86400 1 day Sites with relatively static content
604800 1 week Static resources (images, CSS, JS)
2592000 1 month Content that rarely changes

Recommendation

For most WordPress sites, a cache duration of 3600 seconds (1 hour) or 86400 seconds (1 day) offers a good balance between performance and content updates.

6. Testing Your Configuration

After configuring the plugin, it's important to verify that the security headers are implemented correctly.

Recommended Testing Tools

1. Security Headers (securityheaders.com)

  1. Visit https://securityheaders.com
  2. Enter your site URL
  3. Click "Scan"
  4. Analyze the report and score (goal: A or A+)

2. Mozilla Observatory

  1. Visit https://observatory.mozilla.org
  2. Enter your site URL
  3. Click "Scan Me"
  4. Review the detailed results and recommendations

3. Browser Developer Tools

  1. Open your site in the browser
  2. Press F12 to open developer tools
  3. Go to the "Network" tab
  4. Reload the page (F5)
  5. Click on the first request (the main document)
  6. In the "Headers" section, verify the presence of security headers in "Response Headers"

7. Troubleshooting

Headers are not being applied

Solution:

  1. Verify that the plugin is activated
  2. Make sure the "Enable Security Headers" option is enabled
  3. Clear browser cache (Ctrl+Shift+Delete)
  4. If using a caching plugin, also clear WordPress cache
  5. Check for conflicts with other security plugins that manage headers

Site doesn't work after enabling CSP

Solution:

  1. Content Security Policy can block unauthorized scripts and styles
  2. Start with a permissive policy: upgrade-insecure-requests
  3. Use browser developer tools to see which resources are being blocked
  4. Gradually add the necessary CSP rules for your theme and plugins
  5. Consider using 'unsafe-inline' if needed for compatibility

SSL errors after enabling HSTS

Solution:

  1. HSTS requires a valid and working SSL certificate
  2. Verify that your site is completely accessible via HTTPS
  3. Check for mixed content (HTTP on HTTPS pages)
  4. If the problem persists, temporarily disable HSTS
  5. Contact your hosting provider to verify SSL configuration

Site is slow after configuring cache

Solution:

  1. Try reducing the cache duration
  2. Check for conflicts with other caching plugins
  3. Verify server/CDN settings
  4. Use tools like GTmetrix or PageSpeed Insights to identify the issue

8. Frequently Asked Questions (FAQ)

Does the plugin slow down my site?

No, security headers are lightweight and add negligible overhead. The caching feature can actually improve site performance.

Is it compatible with my hosting?

Yes! The plugin is designed to work with all hosting providers (Aruba, SiteGround, Bluehost, WP Engine, etc.) since it uses native WordPress hooks.

Can I use it with other security plugins?

Yes, Security Headers & Caching is designed to work alongside other security plugins. It focuses specifically on HTTP headers.

What happens if I deactivate the plugin?

Security headers will stop being sent, but your settings will be preserved. If you reactivate the plugin, previous settings will be restored.

What happens if I delete the plugin?

All plugin settings and data are automatically removed from the database. It leaves no traces in your WordPress installation.

Can I customize headers for developers?

Yes! The plugin provides the shc_security_headers filter that allows developers to modify headers programmatically. 

add_filter( 'shc_security_headers', function( $headers ) {
    $headers['X-Custom-Header'] = 'custom-value';
    return $headers;
} );

Is it compatible with WordPress Multisite?

Yes, the plugin is fully compatible with WordPress multisite installations.

How do I get an A+ score on securityheaders.com?

To get an A+ score, you need to:

9. Support

Need Help?

Studio Be4 offers technical support for the Security Headers & Caching plugin:

Before Contacting Support

For a faster response, please prepare the following information:

Additional Resources