Adding Custom Headers to Your WordPress Site

Category: Tutorials | Last modified: August 28, 2020

If you’d like to add custom headers to your site, we recommend doing so by creating a file called custom-redirects.php in your site root, if it is not there already.

As we do not allow modification of the server configuration files, custom-redirects.php is the only method by which Pressable can add these headers. If you prefer to use a plugin, check out the HTTP Headers plugin in the WordPress.org repository.

Working with custom-redirects.php

custom-redirects.php is prepended to any PHP script that is accessed on a Pressable site. For example, if you access https://yoursite.com/some_php_file.php, custom-redirects.php will be loaded before the code in some_php_file.php.

Some common headers that you may want to set are the following:

header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('Referrer-Policy: no-referrer-when-downgrade');

Cache headers are set via Batcache when a cached render of your page is available, so those should not be set in custom-redirects.php.

Additionally, strict-transport-security headers are added automatically and are not modifiable.

An Automattic Invention A family of WordPress solutions.