How to Add X-XSS-Protection in WordPress: Step-by-Step Guide


WordPress is one of the most popular content management systems (CMS) in the world, powering millions of websites. However, with its popularity comes the risk of security vulnerabilities. One common vulnerability is cross-site scripting (XSS), which allows attackers to inject malicious code into a website. To protect your WordPress site from XSS attacks, it is important to add the X-XSS-Protection header. In this step-by-step guide, we will walk you through the process of adding X-XSS-Protection in WordPress.

Step 1: Accessing the Functions.php File

The first step is to access the functions.php file of your WordPress theme. This file contains the code that controls the functionality of your theme. To access the file, you can use either an FTP client or the built-in file editor in the WordPress admin area.

If you choose to use an FTP client, connect to your website’s server using the FTP credentials provided by your hosting provider. Navigate to the wp-content/themes/your-theme folder and look for the functions.php file. Download the file to your computer.

If you prefer to use the built-in file editor, log in to your WordPress admin area and go to Appearance > Theme Editor. On the right-hand side, you will see a list of theme files. Click on the functions.php file to open it.

Step 2: Adding the X-XSS-Protection Header

Once you have accessed the functions.php file, you can add the X-XSS-Protection header to your WordPress site. To do this, paste the following code snippet at the end of the file:

function add_xss_protection_header() {
    header( 'X-XSS-Protection: 1; mode=block' );
add_action( 'send_headers', 'add_xss_protection_header' );

This code snippet creates a function called add_xss_protection_header() that adds the X-XSS-Protection header with the value 1; mode=block. The add_action() function hooks the add_xss_protection_header() function to the send_headers action, ensuring that the header is added to every page of your WordPress site.

Step 3: Saving and Testing

After adding the code snippet, save the changes to the functions.php file. If you are using the FTP client, upload the modified file back to the wp-content/themes/your-theme folder on your website’s server.

Now, it’s time to test if the X-XSS-Protection header is working correctly. Open a web browser and navigate to your WordPress site. Right-click anywhere on the page and select “Inspect” or “Inspect Element” to open the browser’s developer tools.

In the developer tools, go to the “Network” tab and refresh the page. Look for the response headers of the page request. If you see the X-XSS-Protection header with the value 1; mode=block, congratulations! You have successfully added the X-XSS-Protection header to your WordPress site.


Adding the X-XSS-Protection header is a crucial step in securing your WordPress site against cross-site scripting (XSS) attacks. By following this step-by-step guide, you have learned how to add the X-XSS-Protection header to your WordPress site using the functions.php file. Remember to regularly update your WordPress theme and plugins to ensure the overall security of your website. Stay safe!

Ibraheem Taofeeq Opeyemi

I am a hard-working and help individual who isn't afraid to face a challenge. I'm passionate about my work and I know how to get the job done. I would describe myself as an open, and honest person who doesn't believe in misleading other people, and tries to be fair in everything I do. I'm Blogger | Website Designer | Website Developer | Content Writer | SEO Expert | Graphics Designer | WordPress Expert

Leave a Reply