Edit WordPress HTTP headers running on IIS for security measures

Page update date :
Page creation date :

Verification environment

  • 5.8.2
  • 7.1.29
  • 10.0
Windows Server
  • 2019


This article assumes that WordPress is already running on IIS.

Security checks

Go to the following site, enter the URL of your WordPress site, and press the Scan button.

The resulting rank is "A+, A, B, C, D, E, F", which means that the closer to A+, the more secure it is. Conversely, closer to F means less secure.

You can see that it is executed against a WordPress site installed on IIS, but it is displayed as F because there are no countermeasures by default.

Security measures

If you look it up on the net, " . htaccess" file, but the . htaccess" is basically used by Apache's web server, so it cannot be used in IIS.

For IIS, Apache's . htaccess" corresponds to the "web.config" file, so you will write the settings here.

You can write the settings directly in web.config, but in this case, I'd like to use Internet Information Services (IIS) Manager to add the settings and then check web.config after setting them.

Settings in IIS Manager

From the Start menu, select Internet Information Services (IIS) Manager.

Select the site where "WordPress" is running from the tree on the left and double-click "HTTP Response Headers" from the middle list to open it.

Here, enter a name and value, add it, and set the response header. Here's what we'll add this time: The main ones are excerpted, but feel free to add more items or change the values as needed.

Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
Referrer-Policy no-referrer-when-downgrade
Content-Security-Policy upgrade-insecure-requests
Strict-Transport-Security max-age=31536000
Permissions-Policy fullscreen=(self), accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=()

X-Content-Type-Options I'd like to add as an example. Click Add from the menu on the right.

Enter for the name, enter for X-Content-Type-Options the nosniff value, and click the OK button.

One value has been added.

If you check "Security Headers" in this state as a test, you can see that the security rank has increased.

I continued to register and tried to put all the values in the table above.

When I scanned it in this state, I was able to see that it was the highest rank A+.

This is fine for security, but it's quite restrictive, so open your WordPress site and check if there are any problems with the content working.

Permissions-Policy In particular, has completely disabled the camera and location information, so adjust the values according to your WordPress site.

Checking web.config

There should be web.config in the root of the folder where WordPress is located, so open it in Notepad etc. and check it.

You should be able to see that it is entered as shown in the figure below. Instead of using IIS Manager, you can set HTTP response headers in web.config in the same way.