Setting up Security Headers

Adding security headers is a very important part of the coreActivity plugin, and the plugin can add 10 security headers via Headers features. There are 3 dedicated headers features, and each one has an option to change how the headers are added to the website.

There are two methods available, and each one has cons and pros, with one being clearly better.

Direct Method

This is basic method for adding the security headers, and it is done via PHP using the header() function.


  • Works with every server type.


  • It is added only to the content generated by WordPress, it doesn’t get applied to images or other resources.
  • If your cache plugin serves cached HTML file without WordPress processing, cached responses doesn’t contain any HTTP headers that may be generated without cache, and ony headers coming from server are included.

Headers with .HTACCESS

This is the best way to add headers to the website, and to make sure they are applied to every request.


Adding headers via .HTACCESS requires use of .HTACCESS file, and it is limited to Apache and Litespeed web servers.


  • It runs before the WordPress is even reached, on the server level and it adds headers before WordPress is run.
  • It adds headers to any response from the server, including static resources, like images, scripts or styles.
  • It works with any WordPress cache plugin.


  • Nothing really.

Which Headers adding method to use?

There is no contest, you must use .HTACCESS method, if your server is run on Apache or LiteSpeed.

Rate this article

You are not allowed to rate this post.

Leave a Comment