How To Add Security Headers + More New Defender Features
Defender’s back in the ring for round 2.2.2. And he’s coming in hot with three brand new security features – all specifically designed to lay the smackdown on cowardly hackers and bots.
Your website’s safety is at stake, so let’s not delay.
Defender 2.2.2 recently entered the ring complete with a brand new set of knockout security features.
And in this article we’re shining the spotlight on three of the standouts:
- HTTP Security Headers
- Prevent User Enumeration
- Block WordPress Rest API
I’ll also be showing you how easy it is to instantly arm your website with these new weapons.
Because the truth of the matter is, if you’re not constantly updating your site’s security, you’re playing with fire.
Every day hackers and criminals are finding new ways to exploit even the most ‘secure’ of websites.
And if you’re not up with the latest website security measures, you’re leaving your site vulnerable.
That’s Where This Large Wrestler Dude Steps In…
New Round Here?
Meet Defender, our premiere security plugin and your personal [internet] crime fighting machine (he’s not as scary as he looks, unless you’re an evil hacker).
Hackers… Brute force attacks… Malicious bots…
They’re all no match for Defender’s mighty WordPress security shields and cloaking technology.
Tag-team with this plugin for instant access to: user security scans, vulnerability reports, two-factor authentication, safety recommendations, and tons more!
The point is…
Defender Has The Scariest Web Villains Squirming
And in it’s latest update, this robust plugin adds even more notches to it’s heavyweight security belt.
The best part?
Enforcing most of them takes no more than a click of a button.
But before we press on, PSA:
A WPMU DEV membership gives you full access to this, and all of our other award-winning premium WordPress plugins. There’s also a 100% risk-free 30-day trial – so you’re welcome to try before you buy.
But as I said earlier, the safety of your website depends on this – so on to the barnstorming features!
Hit Hackers Where It Hurts: HTTP Security Headers
Much like relationships, communication is one of the keys to a safer and more secure website.
And effective communication is what HTTP security headers do best.
In simple terms, these head-butting headers talk to web browsers and tell them how to act during interactions with your website. Helping to double down on your security and prevent malicious attacks.
HTTP security headers come in various shapes and sizes (I cover each below) – all safeguarding you against different types of attacks.
They’re also super easy to add on your website. And like most Defender features – they’re literally a click away from being instantly weaponized.
*This security feature was originally requested by our WPMU DEV community member Gary. Thanks again for your input Gary!
How To Activate Defender’s HTTP Security Headers
From the Defender dashboard, find the “Security Tweaks” section (you can’t miss it!). You’ll see a preview list of the security tweaks Defender recommends for your website.
Either click one of these, or click “view all.”
Alternatively, you can navigate to Security Tweaks directly via the side menu:
Once you’re through to the Security Tweaks page, you’ll see Defender points out the current security issues with your website.
Since security headers are a new feature, they’ll automatically appear on this list.
To activate a security header, start by clicking on one.
When you’ve clicked through you’ll then be given more info about each header.
Here’s an example of what you see when you click the “X-Content-Type-Options” header:
Like I said earlier, one click is all it takes.
Hit that “enforce” button and KAPOW! You’ve just beefed your security up a level.
Once you’ve enabled any header it’ll automatically be moved to the “Resolved” section of Security Tweaks.
You can also disable a security header here too if needed.
Alrighty, now that you know how to enforce security headers, let’s dive deeper into the headers themselves and what they do.
Meet Defender’s New ‘Heads’ Of Security:
1. X-Content-Type-Options Header
The X-Content-Type-Options header is quite the warrior, defending you against nasty MIME sniffing and XSS attacks.
An example of this is when a website allows users to upload content, but then, *PLOT TWIST, the user disguises a specific file type as something else. Sneaky sneak!
This gives them a dangerous opportunity to perform cross-site scripting and compromise your website. You’ll definitely want to activate this puppy if your website allows users to upload content.
2. Feature-Policy Header
The Feature-Policy response header helps control which browser features can be used when web pages are embedded in iframes (HTML documents embedded inside other HTML documents on a website).
Examples of this include: Embedding an iframe where you don’t want the embedded site to have access to the visitors camera, or when unoptimized images are output to your website from a CMS.
This security header also gives you more options to prevent unwanted actions when your webpages are embedded elsewhere:
3. Referrer-Policy Header
The Referrer-Policy HTTP header tells web-browsers how to handle referrer information when a user clicks a link that leads to another page.
Referrer headers let website owners know where inbound visitors came from, but sometimes you might want to control or restrict the amount of information shown.
You can also choose what referrer information is sent, along with requests:
4. Strict-Transport-Security Header
The HTTP Strict-Transport-Security header (HSTS) lets your website tell browsers they should only be accessed by HTTPS (rather than HTTP).
This is especially important for sites that store and process sensitive information (e.g. eCommerce stores) and it helps to prevent “protocol downgrade” and “clickjacking” attacks.
You can also set your Transport-Security Header requirements (see below). This will convert all non-HTTPS links, and will block insecure connections coming into your website.
5. X-Frame-Options Header
The X-Frame-Options HTTP header controls whether or not a browser can render a webpage inside a <frame>, <iframe>, or <object> tag.
This can help avoid clickjacking attacks by ensuring your content isn’t embedded into other websites.
6. X-XSS-Protection Header
The X-XSS-Protection header stops pages from loading when it detects reflected cross-site scripting (XSS) attacks on Chrome, Safari, and more.
But this header still protects users of older web browsers that don’t support CSP.
You can choose what level of X-XSS protection you would like to apply when XSS attacks are detected. Whether it’s sanitizing the page (removing unsafe parts), or blocking the attack completely.
We’re not done yet…
Here Are Two More Lethal Security Moves Defender’s Been Perfecting:
1.Catch Bots Off Guard With “Block WordPress Rest API”
The WordPress Rest API allows your website to communicate with internal and external services and applications.
This allows developers to create single page apps on top of WordPress. It also unlocks a whole world of opportunities (especially with Gutenberg).
However, if you’re not using any external services that require public access to the API, it’s potentially another access point for bots and hackers.
This security tweak allows you to only allow authorized requests. Which is recommended if you don’t require API access from third-party apps and software.
Alternatively, if you have external services that require API access you can ignore this security tweak.
This tweak also comes with a sliiight warning (dun dun duuun…).
It could prevent your website from working properly – so only activate this tweak if you know what you’re doing.
Like the security headers, the Block WordPress Rest API feature can be found in “Security Tweaks” and enforced in one click:
2.Prevent User Enumeration And “KO” Brute Force Login Attempts
A common method for bots and hackers to access your website is to figure out login usernames and brute force the login area with a bunch of dummy passwords.
There are two sides to this hacking method. The passwords are random guesses, and are harder to get. On the other hand, your username can be easily accessed by redirecting “?author=1” to “/author/username/.”
This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames.
You’ll find Prevent User Enumeration in “Security Tweaks,” and it can be activated with a click:
*Shoutout to WPMU DEV community members Richard and Michael for requesting this feature.
Sometimes Offense Is The Best [Security] Defense
It’s a scary internet world out there, and every day hackers and other despicable web villains are finding new ways to run-a-muck with innocent people’s websites.
That’s why it’s important to ensure your website is well armed with the latest security features.
Thanks to Defender Pro’s newly introduced security headers, as well as the ability to block WordPress Rest API and user enumeration – your website is in safer hands than ever.
If you already have Defender Pro installed and you haven’t yet updated… get to it silly! Your website’s safety depends on it.
Now’s The Time To Get Defensive
Again, if you’re new around here and you want to beef up your website’s security with this plugin… the best place to start is by signing up for a free 30 day trial with WPMU DEV.
That way you can take the mighty Defender (as well as all of our other premium plugins) for a test drive first. If you’re not satisfied within the 30 days, just cancel your sub and we’ll try to do better for you next time. No harm done.
(There’s also the free version of Defender if you’re not ready for that kind of commitment).
Special thanks to the amazing team (superheroes in their own right) that made Defender 2.2.2 possible:
Lead Developer: Hoàng Ngô, QA: Devendera Mishrades, and Lead Designer: Andy Crone.
Also be sure to check out our Product Roadmap to see what’s on the horizon for Defender in future updates.