How To Add Security Headers + More New Defender Features

How To Add Security Headers + More New Defender Features

Defender’s back in the ring for round 2.2.2. And he’s coming in hot with three brand new security features – all specifically designed to lay the smackdown on cowardly hackers and bots.

Your website’s safety is at stake, so let’s not delay.

Defender 2.2.2 recently entered the ring complete with a brand new set of knockout security features.

And in this article we’re shining the spotlight on three of the standouts:

  1. HTTP Security Headers
  2. Prevent User Enumeration
  3. Block WordPress Rest API

I’ll also be showing you how easy it is to instantly arm your website with these new weapons.

Because the truth of the matter is, if you’re not constantly updating your site’s security, you’re playing with fire.

Every day hackers and criminals are finding new ways to exploit even the most ‘secure’ of websites.

And if you’re not up with the latest website security measures, you’re leaving your site vulnerable.

That’s Where This Large Wrestler Dude Steps In…


Defender Pro is all you need for a safer website

New Round Here?

Meet Defender, our premiere security plugin and your personal [internet] crime fighting machine (he’s not as scary as he looks, unless you’re an evil hacker).

Hackers… Brute force attacks… Malicious bots…

They’re all no match for Defender’s mighty WordPress security shields and cloaking technology.

Tag-team with this plugin for instant access to: user security scans, vulnerability reports, two-factor authentication, safety recommendations, and tons more!

The point is…

Defender Has The Scariest Web Villains Squirming

And in it’s latest update, this robust plugin adds even more notches to it’s heavyweight security belt.

The best part?

Enforcing most of them takes no more than a click of a button.

But before we press on, PSA:

All of the features covered in this article are only available with Defender Pro (as opposed to the free version of Defender).

A WPMU DEV membership gives you full access to this, and all of our other award-winning premium WordPress plugins. There’s also a free trial (100% risk-free) – so you’re welcome to try before you buy.

But as I said earlier, the safety of your website depends on this – so on to the barnstorming features!

Hit Hackers Where It Hurts: HTTP Security Headers

Much like relationships, communication is one of the keys to a safer and more secure website.

And effective communication is what HTTP security headers do best.

In simple terms, these head-butting headers talk to web browsers and tell them how to act during interactions with your website. Helping to double down on your security and prevent malicious attacks.

HTTP security headers come in various shapes and sizes (I cover each below) – all safeguarding you against different types of attacks.

They’re also super easy to add on your website. And like most Defender features – they’re literally a click away from being instantly weaponized.

*This security feature was originally requested by our WPMU DEV community member Gary. Thanks again for your input Gary!

How To Activate Defender’s HTTP Security Headers

From the Defender dashboard, find the “Security Tweaks” section (you can’t miss it!). You’ll see a preview list of the security tweaks Defender recommends for your website.

Either click one of these, or click “view all.”

Start at the Defender dashboard

Alternatively, you can navigate to Security Tweaks directly via the side menu:

Or select security tweaks from the side menu

Once you’re through to the Security Tweaks page, you’ll see Defender points out the current security issues with your website.

Since security headers are a new feature, they’ll automatically appear on this list.

To activate a security header, start by clicking on one.

Click on a security header to enforce it

When you’ve clicked through you’ll then be given more info about each header.

Here’s an example of what you see when you click the “X-Content-Type-Options” header:

An example of one of the security headers

Like I said earlier, one click is all it takes.

Hit that “enforce” button and KAPOW! You’ve just beefed your security up a level.

Once you’ve enabled any header it’ll automatically be moved to the “Resolved” section of Security Tweaks.

You can also disable a security header here too if needed.

Once security headers have been activated they become resolved

Alrighty, now that you know how to enforce security headers, let’s dive deeper into the headers themselves and what they do.

Meet Defender’s New ‘Heads’ Of Security:

1. X-Content-Type-Options Header

The X-Content-Type-Options header is quite the warrior, defending you against nasty MIME sniffing and XSS attacks.

An example of this is when a website allows users to upload content, but then, *PLOT TWIST, the user disguises a specific file type as something else. Sneaky sneak!

This gives them a dangerous opportunity to perform cross-site scripting and compromise your website. You’ll definitely want to activate this puppy if your website allows users to upload content.

2. Feature-Policy Header

The Feature-Policy response header helps control which browser features can be used when web pages are embedded in iframes (HTML documents embedded inside other HTML documents on a website).

Examples of this include: Embedding an iframe where you don’t want the embedded site to have access to the visitors’ camera, or when unoptimized images are output to your website from a CMS.

This security header also gives you more options to prevent unwanted actions when your webpages are embedded elsewhere:


Manage unlimited WP sites for free

Unlimited sites
No credit card required
The feature policy header gives you extra options

3. Referrer-Policy Header

The Referrer-Policy HTTP header tells web-browsers how to handle referrer information when a user clicks a link that leads to another page.

Referrer headers let website owners know where inbound visitors came from, but sometimes you might want to control or restrict the amount of information shown.

You can also choose what referrer information is sent, along with requests:

Choose different options with this security header

4. Strict-Transport-Security Header

The HTTP Strict-Transport-Security header (HSTS) lets your website tell browsers they should only be accessed by HTTPS (rather than HTTP).

This is especially important for sites that store and process sensitive information (e.g. eCommerce stores) and it helps to prevent “protocol downgrade” and “clickjacking” attacks.

You can also set your Transport-Security Header requirements (see below). This will convert all non-HTTPS links and will block insecure connections coming into your website.

A look at the strict transport header in action

5. X-Frame-Options Header

The X-Frame-Options HTTP header controls whether or not a browser can render a webpage inside a <frame>, <iframe>, or <object> tag.

This can help avoid clickjacking attacks by ensuring your content isn’t embedded into other websites.

Avoid clickjacking attacks with this security header

6. X-XSS-Protection Header

The X-XSS-Protection header stops pages from loading when it detects reflected cross-site scripting (XSS) attacks on Chrome, Safari, and more.

For the most part you don’t need these headers in modern browsers, as most websites have a strong “Content-Security-Policy” that disables inline JavaScript.

But this header still protects users of older web browsers that don’t support CSP.

You can choose what level of X-XSS protection you would like to apply when XSS attacks are detected. Whether it’s sanitizing the page (removing unsafe parts), or blocking the attack completely.

Adjust your XSSX header settings


We’re not done yet…

Here Are Two More Lethal Security Moves Defender’s Been Perfecting:

1.Catch Bots Off Guard With “Block WordPress Rest API”

The WordPress Rest API allows your website to communicate with internal and external services and applications.

This allows developers to create single-page apps on top of WordPress. It also unlocks a whole world of opportunities (especially with Gutenberg).

However, if you’re not using any external services that require public access to the API, it’s potentially another access point for bots and hackers.

This security tweak allows you to only allow authorized requests. Which is recommended if you don’t require API access from third-party apps and software.

Alternatively, if you have external services that require API access you can ignore this security tweak.

This tweak also comes with a sliiight warning (dun dun duuun…).

It could prevent your website from working properly – so only activate this tweak if you know what you’re doing.

Like the security headers, the Block WordPress Rest API feature can be found in “Security Tweaks” and enforced in one click:

You can choose to block WordPress Rest API


2.Prevent User Enumeration And “KO” Brute Force Login Attempts

A common method for bots and hackers to access your website is to figure out login usernames and brute force the login area with a bunch of dummy passwords.

There are two sides to this hacking method. The passwords are random guesses and are harder to get. On the other hand, your username can be easily accessed by redirecting “?author=1” to “/author/username/.”

This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames.

You’ll find Prevent User Enumeration in “Security Tweaks,” and it can be activated with a click:

defender can help with preventing user numeration


*Shoutout to WPMU DEV community members Richard and Michael for requesting this feature.

Sometimes Offense Is The Best [Security] Defense

It’s a scary internet world out there, and every day hackers and other despicable web villains are finding new ways to run-a-muck with innocent people’s websites.

That’s why it’s important to ensure your website is well armed with the latest security features.

Thanks to Defender Pro’s newly introduced security headers, as well as the ability to block WordPress Rest API and user enumeration – your website is in safer hands than ever.

If you already have Defender Pro installed and you haven’t yet updated… get to it silly! Your website’s safety depends on it.

Now’s The Time To Get Defensive

Again, if you’re new around here and you want to beef up your website’s security with this plugin… the best place to start is by signing up for a free trial with WPMU DEV.

That way you can take the mighty Defender (as well as all of our other premium plugins) for a test drive first. If you’re not satisfied within the trial period, just cancel your sub and we’ll try to do better for you next time. No harm done.

(There’s also the free version of Defender if you’re not ready for that kind of commitment).

Special thanks to the amazing team (superheroes in their own right) that made Defender 2.2.2 possible:

Lead Developer: Hoàng Ngô, QA: Devendera Mishrades, and Lead Designer: Andy Crone.

Also be sure to check out our Product Roadmap to see what’s on the horizon for Defender in future updates.

How do you keep your website as safe and secure as possible? What kind of security features would you like to see from Defender in future? Happy with this new security headers feature? Let us know in the comments below.

Rick Crawshaw

Rick Crawshaw Rick Crawshaw is a writer at WPMU DEV. Before joining the company and learning the ins and outs of WordPress web development, he worked as a freelance copywriter and marketer. You might also recognize his punny style from our weekly WordPress newsletter The WhiP. Follow Rick on Twitter.