Headers Security Advanced & HSTS WP



Headers Security Advanced & HSTS WP is Best all-in-one a free plug-in for all WordPress users, it allows you to securely and quickly customize your login page URL. It does not rename or replace files, add rewrite or read rules. The wp-admin directory and the wp-login.php page will no longer go, remember to bookmark the URL or wherever you prefer so you can remember the login url. Deactivating this plugin will return your site configuration exactly to the state it was in before.

The Headers Security Advanced & HSTS WP project implements HTTP response headers that your site can use to increase the security of your website. The plug-in will automatically set up all Best Practices (you don’t have to think about anything), these HTTP response headers can prevent modern browsers from running into easily predictable vulnerabilities. The Headers Security Advanced & HSTS WP project wants to popularize and increase awareness and usage of these headers for all wordpress users.

This plugin is developed by TentaclePlugins, we care about WordPress security and best practices.

Check out the best features of Headers Security Advanced & HSTS WP :
* HSA Limit Login to block brute force attacks.
* X-XSS-Protection
* Expect-CT
* Access-Control-Allow-Origin
* Access-Control-Allow-Methods
* Access-Control-Allow-Headers
* X-Content-Security-Policy
* X-Content-Type-Options
* X-Frame-Options
* X-Permitted-Cross-Domain-Policies
* Content-Security-Policy
* Referrer-Policy
* HTTP Strict Transport Security / HSTS
* Content-Security-Policy
* Clear-Site-Data
* Cross-Origin-Embedder-Policy-Report-Only
* Cross-Origin-Opener-Policy-Report-Only
* Cross-Origin-Embedder-Policy
* Cross-Origin-Opener-Policy
* Cross-Origin-Resource-Policy
* Permissions-Policy
* Strict-dynamic
* Strict-Transport-Security

Headers Security Advanced & HSTS WP** is based on OWASP CSRF to protect your wordpress site. Using OWASP CSRF, once the plugin is installed, it will provide full CSRF mitigation without having to call a method to use nonce on the output. The site will be secure despite having other vulnerable plugins (CSRF).

HTTP security headers are a critical part of your website’s security. After automatic implementation with Headers Security Advanced & HSTS WP, they protect you from the most notorious types of attacks your site might encounter. These headers protect against XSS, code injection, clickjacking, etc.

Analyze your site before and after using Headers Security Advanced & HSTS WP security headers are self-configured according to HTTP Security Headers and HTTP Strict Transport Security / HSTS best practices.

This plugin is updated periodically, our limited support is free, we are available for your feedback (bugs, compatibility issues or recommendations for next updates). We are usually fast :-D.


  • Check HTTP Security Headers (AFTER)
  • Check HTTP Security Headers (BEFORE)
  • Check HTTP Strict Transport Security / HSTS (list)
  • Setting on single site installation
  • Site-wide security setting



  1. Vai in Plugin ‘Aggiungi nuovo’.
  2. Cerca Headers Security Advanced & HSTS WP.
  3. Cerca questo plugin, scaricalo e attivalo.
  4. Vai in ‘impostazioni’ > ‘Permalink’. Cambia il tuo url di login alla voce ‘Security Url’.
  5. Puoi cambiare questa opzione quando vuoi, Headers Security Advanced & HSTS WP viene impostato in automatico.


  1. Go to Plugins ‘Add New’.
  2. Search for Headers Security Advanced & HSTS WP.
  3. Search for this plugin, download and activate it.
  4. Go to ‘settings’ > ‘Permalink’. Change your login url to ‘Security Url’.
  5. You can change this option whenever you want, Headers Security Advanced & HSTS WP is set automatically.


  1. Allez dans Plugins ‘Add new’.
  2. Recherchez Headers Security Advanced & HSTS WP.
  3. Recherchez ce plugin, téléchargez-le et activez-le.
  4. Allez dans “Paramètres” > “Lien permanent”. Changez votre url de connexion en ‘Security Url’.
  5. Vous pouvez modifier cette option quand vous le souhaitez, Headers Security Advanced & HSTS WP est réglé automatiquement.


  1. Gehen Sie zu Plugins ‘Neu hinzufügen’.
  2. Suchen Sie nach Headers Security Advanced & HSTS WP.
  3. Suchen Sie nach diesem Plugin, laden Sie es herunter und aktivieren Sie es.
  4. Gehen Sie zu “Einstellungen” > “Permalink”. Ändern Sie Ihre Login-Url in ‘Security Url’.
  5. Sie können diese Option jederzeit ändern, Headers Security Advanced & HSTS WP wird automatisch eingestellt.


How do you get an A+ grade?

To earn an A+ grade, your site must issue all HTTP response headers that we check. This indicates a high level of commitment to improving the security of your visitors.

What headers are recommended?

Over an HTTP connection we get Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection. Via an HTTPS connection, 2 additional headers are checked for presence which are Strict-Transport-Security and Public-Key-Pins.

Can the plugin create slowdowns?

No, Headers Security Advanced & HSTS WP is Fast, Secure and does not affect the SEO and speed of your website.

What is HSTS (Strict Transport Security)?

It was created as a solution to force the browser to use secure connections when a site is running on HTTPS. It is a security header that is added to the web server and reflected in the response header as Strict-Transport-Security. HSTS is important because it addresses the following anomalies:

Check before and after using Preload HSTS

This step is important to submit your website and/or domain to an approved HSTS list. Google officially compiles this list and it is used by Chrome, Firefox, Opera, Safari, IE11 and Edge. You can forward your site to the official HSTS preload directory. (‘https://hstspreload.org/’)

how to use HTTP Strict Transport Security (HSTS)

If you want to use Preload HSTS for your site, there are a few requirements before you can activate it.

  • Have a valid SSL certificate. You can’t do any of this anyway without it.
  • You must redirect all HTTP traffic to HTTPS (recommended via permanent 301 redirects). This means that your site should be HTTPS only.
  • You need to serve all subdomains in HTTPS as well. If you have subdomains, you will need an SSL certificate.

The HSTS header on your base domain (for example: example.com) is already configured you just need to activate the plug-in.

If you want to check the HSTS status of your site, you can do so here: https://hstspreload.org/

Can I report a bug or request a feature?

You can report bugs or request new features right click here !


October 29, 2021
how to tell you ? it is light and super efficient, to protect against Xss. Even if I had some doubts at the beginning it is better than the big security suite.
Read all 1 review

Contributors & Developers

“Headers Security Advanced & HSTS WP” is open source software. The following people have contributed to this plugin.


“Headers Security Advanced & HSTS WP” has been translated into 1 locale. Thank you to the translators for their contributions.

Translate “Headers Security Advanced & HSTS WP” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



  • We don’t want to tell you what to do, but here’s the thing, if you’ve updated the plugin last time, you’ve seen that when we propose to do it, we don’t just say it. Well, we’ve added and fixed a lot of things with this version 4.4 (we’ve improved some crazy programmer stuff) and everything works like a charm. So are we on board? Let’s have you tap “update” and we’ll give you the coolest, fastest, most awesome plugin with the best updates in the world.


  • Fixed: We fixed an issue that could occur with logging into the admin panel with the custom login URL and it would show the login form even when authenticated.


  • Updated: Content Security Policy can be used to generate reports describing attempts to attack your site. Content Security Policy can be used to generate reports describing attack attempts on your site. In addition, we have implemented the HTTP Content-Security-Policy(CSP) directive ensuring both report-to and report-to compatibility.


  • Fixed: Permissions-Policy and its value is a structured field value.


  • Fixed: “Cross-Origin-Embedder-Policy”
  • Fixed: “Clear-Site-Data”
  • Updated: “Access-Control-Allow-Headers”
  • Updated: “Access-Control-Allow-Methods”
  • Updated: “Access-Control-Expose-Headers”
  • Updated: “Cache-Control”


  • Versione iniziale, per migliorie e feedback contattaci.