How to Add HSTS (HTTP Strict Transport Security) in WordPress

Greetings, WordPress users! In this step-by-step guide, we will walk you through the process of adding HSTS (HTTP Strict Transport Security) to your WordPress website. HSTS is a security feature that helps protect your site and your users by ensuring that all communication between your website and visitors is encrypted over HTTPS.

What is HSTS?

HSTS is a web security mechanism that instructs web browsers to only communicate with a website over a secure HTTPS connection. It helps prevent potential security vulnerabilities, such as man-in-the-middle attacks, by enforcing the use of HTTPS for all interactions with your website.

Step 1: Verify SSL/TLS Certificate

Before enabling HSTS, it is crucial to ensure that your website has a valid SSL/TLS certificate installed. HSTS only works with HTTPS, so make sure your website is already using HTTPS before proceeding.

Step 2: Access Your WordPress Dashboard

Log in to your WordPress admin dashboard by navigating to Enter your credentials to access the dashboard.

Step 3: Install and Activate the HSTS Plugin

To add HSTS to your WordPress website, we recommend using the “HTTP Strict Transport Security” plugin. Go to the “Plugins” section in your WordPress dashboard and click on “Add New.” Search for “HTTP Strict Transport Security” and install the plugin developed by “Frank Bültge.”

Once the installation is complete, activate the plugin.

Step 4: Configure the HSTS Plugin

After activating the plugin, navigate to “Settings” in your WordPress dashboard and click on “HTTP Strict Transport Security.”

In the plugin settings, you will find various options to configure HSTS for your website. The essential settings to consider are:

  • Max-Age: Set the duration for which the HSTS policy will be enforced. It is recommended to set a value of at least 31536000 seconds (1 year).
  • Include Subdomains: Choose whether to include subdomains in the HSTS policy. Enable this option if your website uses subdomains.
  • Preload: Preloading allows your website to be included in the HSTS preload list maintained by web browsers. This ensures that HSTS is enforced even for first-time visitors. Enable this option for maximum security.

Adjust the settings according to your requirements and click on “Save Changes” to apply the HSTS policy to your website.

Step 5: Test and Verify HSTS

After configuring the HSTS plugin, it is essential to test and verify that HSTS is working correctly on your website. You can use online tools like or to check the HSTS status of your website.

These tools will provide you with detailed information about your HSTS policy, including the max-age, includeSubDomains, and preload settings.

Step 6: Monitor and Maintain HSTS

Once HSTS is enabled on your website, it is crucial to monitor and maintain its functionality. Regularly check your website’s SSL/TLS certificate to ensure it is valid and up to date. Keep an eye on any warnings or errors related to HSTS in your website’s server logs.

Remember that once you enable HSTS, all communication with your website will be forced to use HTTPS. Ensure that all your website’s resources, including images, scripts, and stylesheets, are also served over HTTPS to avoid any mixed content warnings.

Congratulations! You have successfully added HSTS to your WordPress website. By enforcing HTTPS and securing your website’s communication, you are taking a significant step towards protecting your users’ data and improving their overall browsing experience.

Stay secure, and happy WordPressing!

Ibraheem Taofeeq Opeyemi

I am a hard-working and help individual who isn't afraid to face a challenge. I'm passionate about my work and I know how to get the job done. I would describe myself as an open, and honest person who doesn't believe in misleading other people, and tries to be fair in everything I do. I'm Blogger | Website Designer | Website Developer | Content Writer | SEO Expert | Graphics Designer | WordPress Expert

Leave a Reply