Habilitar un header nosniff hará tu Web based on WordPress más seguro. Learn to install a nosniff header.
What is a nosniff header?
Es un tipo de header que a nivel de código previene ataques del tipo Mime sniffing. Los ataques vía MIME sniffing are given because sniffing is a technique used by browsers (cada vez menos) para determinar el tipo de archivo o formato de un elemento web. Cuando el browser sniff he contents, se crea una vulnerability that can be used by attackers. What the nosniff header does is avoid that vulnerability.
How to add a nosniff header to my WordPress based website?
To add a nosniff header to your website, you must first follow the following steps:
Checking if you already have secure headers
- Check if your website has secure headers. One way to verify the headers for free and without risks is through the portal Security Headers.
- Go to SecurityHeaders.com write the address of your website and press the button: Scan.
- Wait a few seconds and the results will appear: In case your website is present problem of security some will appear results with red text and an F. As the image shows.
Although at the same time you can get a letter C, or an A + in the case that you meet all the security protocols. But if you have failed in the test of Security Headers you can rest assured that we are here to teach you how to improve the security of your website.
How to install a secure nosniff header to my WordPress website
There are several options to enable the header nosniff on your website, some of the options include the use of plugins. Although at the same time there are other alternatives that will allow you make your website more secure without having to install anything, just modifying some files of your WordPress installation with lines of code.
Here we will see all the possible alternatives. Prepared? We get down to work.
Header nosniff in WorPress with plugins
The easiest way to add a nosniff header in WordPress is by using plugins. Yes do not you pretend modify files of your WordPress installation then plugins are a recommended option.
In the WordPress plugin repository there are several options.
HTTP Headers
It is the tool most installed WordPress plugin repository to promote the security of the headers in WordPress. All you have to do is download and activate it in the usual way.
By default HTTP Headers It comes configured with all the necessary parameters to promote the security features of your website.
HTTP Headers Even though, to date, it is the most downloaded option, there are other alternatives. One of those is Security Headers.
Security Headers
It is after HTTP Headers the option with more facilities. The working dynamics behind Security Headers is simple: downloads, installs and activates.
HTTP headers to improve web site security
A third option that allows us to enable the nosniff header on our website without having to touch code is HTTP headers to improve web site security. Aún cuando este plugin cuenta con menos instalaciones activas que HTTP Headers receives updates constantly.
Enabling a nosniff header in WordPress without installing plugins
As we told you at the beginning, it is possible to enable a heder nosniff without the need to install plugins just by adding some lines of code and modifying some files.
Warning:
Before modifying any file of your WordPress installation it is necessary that you carry out a back. Modify the items and the code of your website can put in risk how your site works.
Enabling a nosniff header through the .htaccess file
- Locate the file .htaccess ingresando al cPanel. Una vez estén cPanel debes seguir la siguiente ruta:
Files> File Manager> Web Root (public_html)
There you must select the option to show hidden files and it will find you with the file or file: htaccess.
- Once you have located the file htaccess and you have made the corresponding backup copy and paste the following code:
# X-Content-Type nosniff
Header set X-Content-Type-Options nosniff
- You keep changes and voila.
Improving the security of your header by modifying the functions.php file
- To modify the file php o functions.php follow the following path on the desktop of WordPress:
Appearance> Editor> Theme Functions
- When you have located the file php add the following lines of code:
header(‘Content-Security-Policy: default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https: data:’);
header ('X-Frame-Options: SAMEORIGIN');
header ('X-XSS-Protection: 1; mode = block');
header ('X-Content-Type-Options: nosniff');
header ('Strict-Transport-Security: max-age = 31536000; includeSubdomains; preload');
@ini_set ('session.cookie_httponly', true);
@ini_set ('session.cookie_secure', true);
@ini_set ('session.use_only_cookies', true);
- Save the changes and that's it.
Puedes verificar que los cambios han surtido efecto, bien be que hayas utilizado plugins o modificado los ficheros de tu web, entrando en: SecurityHeaders.com.
If you are looking to continue learning, we have prepared the best online course in Spanish for WordPress. Sign up and become an expert.
