Enabling HTTP Strict Transport Security (HSTS) For WordPress

If you are a WordPress site administrator, one of the things you can do to improve SEO results and security is secure your site with SSL. Yes, even if you aren’t doing transactions like ecommerce, paypal, etc. using SSL is still recommended. Depending on your WordPress hosting company, they may even have free SSL certificates for you to use. But there are different flavors and configurations of SSL that can improve or detract from your security posture. One feature that was recently brought to my  attention is HTTP strict transport security, or HSTS.

HSTS, in short, tells your browser that you only want it to use (and enforce) SSL connections. Attempts to downgrade to non-encrypted communications are prohibited. HSTS is a flag that you configure on your WordPress site, and is not enabled by default (that I’m aware of). Since SSL configuration can be tricky, and you can end up with mixed mode content, I recommend a WordPress plug-in called Really Simple SSL.

As the plugin name implies, this makes configuring SSL (with HSTS) super easy and all from the GUI. It also scans your WordPress site for potential mixed content issues and brings them to your attention. My site had a couple of flagged issues that I fixed. The free version of the plug-in doesn’t configure/test HSTS for you, but their premium version does (and makes it 1-click easy).

However, it may still take a bit of configuration tweaking to fully enable HSTS. First, after you enable HSTS in the plugin, go to hstspreload.org and check your results. In my case, I had two errors. My site is currently error free, so I’m using aol.com as an example for what you may see.

First, ignore the no HSTS header error. That is likely caused by the second error and does not mean Really Simple SSL didn’t do its HSTS configuration. I use WP Engine as my provider, so I contacted their help desk and gave them a copy of the error. They did some back-end redirection magic and fixed up the redirection issue in about 15 minutes. My redirection issue was slightly different from AOL’s problem, but caused the same red failure message. After your redirection issue is fixed, re-try the scan. In my case, it came back with a green screen showing everything is good. Next, you can submit your site to be included on the global HSTS list, which I also did. Many browsers like Chrome and Firefox use the HSTS list for additional security measures.

And just to make sure my SSL is in top notch, I went over to SSL Labs and ran a test. And yes, my site is now rated A+, which is exceptionally good. It even catches the fact I’m successfully using HSTS.

And there you go! A simple, but not totally free, way to deploy and check HSTS on your WordPress site. Given the plug-in is just a few dollars, and helps fix up a variety of SSL issues besides HSTS, I think it’s money well spent.