According to WordPress this plugin has been removed, because it does not comply to the WordPress Developer Guidelines.
WordPress does not specify the exact reason, so this is up to you imagination.
Personally, and with all respect to the plugin author, I think the plugin is of bad quality. When I read the code for the first time I nearly got a stroke. Bugs, security issues, redundancies and just not the quality that one expects on www.ads-software.com.
That being said, and since all other plugins with similar functionality at that time where way too large and hungry for resources, I decided to fix all these issues, because I wanted a sleek, performant and secure plugin. This has been done so far and it’s working fine for me, but I don’t have the time to push further development. Therefore, updates do not come regularly, but only if I find an issue and have time to fix it; unless it’s a critical one. Also and for that exact reason I will not post my version of this plugin to the WordPress plugins directory.
So, I you would like to have a look on my work, feel free to check out my GitHub account, and create a fork or a pull request.
]]>Seeing as this plugin appears to be removed at least temporarily, and updates have not occurred for the last 11 months. I am assuming this has been abandoned. I would be interested in taking over the development of this plugin. I have decades of PHP and WordPress experience, and already have numerous changes I made personally to this plugin for my own use fixing issues. In fact, I forked this plugin months ago and use it on over 100 sites that generate more than a million views per month.
I will also be sending a similar request to WordPress plugin administrators to take over this plugin but would prefer to have the original developer hand off this plugin if they are done supporting it.
]]>Hello,
this day, I see that the plugin is desactivated by its creator. Can you tell me what I have to do ? What about the security ? The plugin is still here, on my back office.
Why we haven’t been adverted ?
Thanks for your answer.
]]>Presently, when you disable CSP and save, the next time you enter CSP settings, all of the fields are blank. Sometimes you just want to disable/enable for testing purposes. Now we have to track these elsewhere before disabling as to not completely lose everything we had figured out. Please tweak this so that it keeps the data in the fields.
]]>Hellooooou,
What I am trying to achieve is on https://hstspreload.org/ make preload of https://www.restauracesport.cz/
Error: Max-age is 0
The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=0. If you are trying to remove this domain from the preload list, please visit https://hstspreload.org/removal/
Dunno where is the problem even in the plugin I have set:
HSTS
Max age:
31536000
seconds (86400 = one day, 31536000 = one year, 2592000 (recommended)
Thanks a lot! <3
]]>I’d installed this plugin and gotten the webpagetest.org Security rating up to an A. Then I installed WP Rocket and did another speed test – and the Security score went back to F.
I uninstalled and reinstalled this plugin and it’s set up as before. None of the headers are working:
https://securityheaders.com/?q=www.wpminder.com&followRedirects=on
WP Rocket is deactivated. I cleared the cache in CloudFlare and deactivated that, but nothing I do is affecting the security headers now.
]]>Hi, when I click save on any security policies I activate I get a critical error on my website and the setting doesn’t save. Please advise?
]]>Hi Carl Conrad,
I love this plugin you have created. It is an easy and effective plugin to implement the security headers. However, it shows the last update was 8 months ago.
Can you validate if the plugin is supported on WordPress 5.5.x and 5.6?
Are you planning to keep updating this plugin to support future versions of WordPress?
Thanks,
]]>I have noticed that the reporturi for csp has no way to set the report uri. While I overrode this in the code so I could use it with an outside reporting service it would be nice to have this as a setting.
]]>I’m not understanding the settings in here. I didn’t change anything in CSP settings. Since I have some scripts from an outside site, it automatically added that outside site to my script src. Everything else in here is blank. I am using wpforms for my contact form and wp_smtp by wpforms to connect to my mail server and send email. The email server is the same domain and the same server. When enabled I get an error saying javascript isn’t allowed to run but when CSP is disabled teh form works fine. How can I whitelist scripts from my own site?
Thanks
Axe
First of all thank you for this awesome plug-in. I’m very happy with everything except I noticed that CSP headers (which are usually only sent in the front-end) are sent when on the page list admin page. This causes errors with some other plug-ins that use inline images and fonts (which are blocked by CSP). I would appreciate if this could be fixed so that CSP is only applied in front end. Thank you very much for your feedback.
]]>I have the HTTP Sec Headers plugin activated but when I installed and set up W3TC, I started getting F’s for security in webpagetest.org again where I had been getting A’s. None of the enabled security headers are showing up in my site anymore – is there a way to fix this?
]]>Hi. Any plan to add Permissions-Policy to this? It seems to have replaced Feature-Policy.
THanks
]]>I suspect it is something related to this plugin right?
Could you help me solve it?
Error with Feature-Policy header: Unrecognized feature: ‘ambient-light-sensor’.
Error with Feature-Policy header: Unrecognized feature: ‘speaker’.
Error with Feature-Policy header: Unrecognized feature: ‘sync-script’.
Error with Feature-Policy header: Unrecognized feature: ‘unsized-media’.
Error with Feature-Policy header: Unrecognized feature: ‘vertical-scroll’.
Error with Feature-Policy header: Unrecognized feature: ‘vibrate’.
Error with Feature-Policy header: Unrecognized feature: ‘vr’.
I don’t use any of this on my website, this is my address:
https://trendyvisuals.com/en/magazine/lancamento-dji-osmo-mobile-4/
I have a conflict with the plugin WP Social Chat, for example I cannot change or add (new) user. I suspect Plugin: HTTP headers to improve web site security, but within this plugin I cannot find where to put the correct settings?!
Much appreciated if you can help/assist me!
Thanks in advance, Peter
]]>Hi,
I have The HTTP Feature-Policy header configured as follows:
Enable Feature Policy: On
autoplay: *
camera: none
document-domain: *
encrypted-media: *
fullscreen: self
geolocation: none
microphone: none
midi: none
payment: *
vr: none
But from the browser Chrome amd Opera inspector errors occur
Error with Feature-Policy header: Unrecognized origin: ‘none’.
Error with Feature-Policy header: Unrecognized origin: ‘none’.
Error with Feature-Policy header: Unrecognized origin: ‘none’.
Error with Feature-Policy header: Unrecognized origin: ‘none’.
Error with Feature-Policy header: Unrecognized origin: ‘none’.
Error with Feature-Policy header: Unrecognized origin: ‘none’.
Error with Feature-Policy header: Unrecognized origin: ‘self’.
Error with Feature-Policy header: Unrecognized feature: ‘vr’.
How can this be resolved?
Best regards,
]]>Hi there,
Great plugin, I feel like a responsible person, now.
Two years ago you responded to a message indicating that you were going to add CORS: “Regarding CORS, it is planned and should be pushed out soon.”
I didn’t see any settings for it in my plugin, but suddenly I have this message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.newsgateny.com/wp-admin/admin-ajax.php. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.newsgateny.com/wp-admin/admin-ajax.php. (Reason: CORS request did not succeed).
Is this your plugin, and how do I fix this?
If this isn’t from you, then I have to keep searching.
Thank you for your time.
]]>Hi there,
I am new to CSP. Are there by chance some recommendations on how to do the settings?
Thank you!
Best regards,
Maike
Hi there,
I am tweaking few hours and cant get security headers with from your awesome plugin and WP Fastest cache. I dont want to sacrifice neither of them, because WPFC is using .htaccess for gzip and stuff, but also completely erase work of HTTP headers
*when I inserted manualy beta version of headers to .htaccess I got error 500 on whole website, but on auto settings it works
I also posted same query at WPFC support
https://www.ads-software.com/support/topic/rewriting-security-headers/
Thanks a lot
]]>Hello Carl,
Nice plug-in.
If one enable ‘base-uri’ under the ‘document directives’, and choose for – let’s say – ‘non’ than HTTP Headers does only write in .htaccess: ;base-uri ;
So the base-uri setting is leaved blank in the .htaccess.
Probably a little bug.
PS: I send you a mail true WordPress one week ago with some other questions.
Best regards,
Danny
]]>Bonjour Carl,
I also send you a Facebook message.
You are working on nice things and I see we have many same interest,
like Audio, Music, Synthesizers and Sounds.
I really like your HTTP Headers plug-in.
Bravo !
I have a question how I can set the HTTP Headers Security Analyses for the following (missing) optional HTTP Headers (if possible in your app):
– Access-Control-Allow-Origin
– Public-Key-Pins
– Public-Key-Pins-Report-Only
Do you have some tips?
My second question is about the PCI DSS Compliance Analyses.
I got the message:
Requirement 6.2: Website CMS or it’s component seem to be outdated.
But requirements 6.5 and 6.6 are both excellent.
Do you know what is going on?
Both questions can be seen with the website tester:
https://www.immuniweb.com/websec
Last question is about the Expect CT.
I set it to: Enforce with max-age=2592000
That is recommended in your app.
But immuniweb things this header is not properly set.
What do you think?
Thanks in advantage and best regards from The Netherlands,
Danny Rorije
]]>Hi there,
For some reason it does not seem like my CSP rules are applying to my admin area.
I have "script-src * 'self' blob: 'unsafe-inline' 'unsafe-eval'" setup in the plugin, and when I go to https://securityheaders.com/ it reports as set as such BUT DevTools in my admin area keeps reporting "script-src * 'self' 'unsafe-inline' 'unsafe-eval'"
Any ideas?
]]>Hello,
WP admin (core) appears to require the ‘unsafe-line’ value for the ‘script-src’ CSP directive. The ‘unsafe-line’ value is also used in your screenshot example (https://ps.w.org/http-security/assets/screenshot-2.png?rev=1665126).
However, including ‘unsafe-line’ producing the warning, “This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.” using the security header scanning tool you recommend (https://securityheaders.com/?q=villagebankmortgage.com&followRedirects=on). It’s my understanding that allowing ‘unsafe-inline’ is one of the most common ways a WordPress website can be compromised.
How can we set a Content-Security-Policy for WordPress Admin that does not produce any security warnings?
Thank you
]]>Hello,
Thank you for your work.
The 2.5.5 version of this plugin seems to break a lot of page on wordpress with elementor plugin (public and admin page)
The console display error about script-src and style-src.
The 2.5.3 version was almost good enough (some troubles but ok).
So actually i’ve rolled back to 2.5.3
THX.
]]>Updating to v2.5.5 comes with breaking changes. I get a number of console errors along the lines of the following:
Refused to load the script '...' because it violates the following Content Security Policy directive: "script-src '"
All errors refer to '. Could you please look into this?
Hello Carl,
Could you please up date the changelog with details of changes in versions 2.5.3 and 2.5.5.
]]>Hello,
I found some issues with the plugin. Is there an email address I can send them to?
Thank you.
V/R
Erin Germ
]]>Hello Carl,
I received a warning from Wordfence:
The Plugin “HTTP headers to improve web site security” has been removed from www.ads-software.com.
Type: Plugin Removed
Issue Found 2020-03-19 03:05:49 GMT+0700
Critical
To my relief, when I opened thw WP Dashboard, I found an update for the plugin to version 2.5.3. Curious to what the update contained, I checked the changelog but found no entry for version 2.5.3. Can you please post the details.
]]>There seems to be a conflict between HTTP headers to improve web site security and WPBakery Page Builder. When I choose to edit a page with WPBakery Page Builder (frontend), the screen shows the WPBakery icon and then freezes. The issue disappears when I deactivate HTTP headers to improve web site security.
]]>Hi,
I’ve tried for some time to set the HSTS header for my WordPress site through the .htaccess file but securityheaders.com always reported that it didn’t find an HSTS header. Therefore I was looking for another solution and stumbled across your plugin.
At first it wasn’t working but after adding this code to my .htaccess file everything seemed to worked fine:
<IfModule mod_headers.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
But when I try to use the W3 Total Cache plugin, I get some problems. After enabling the caching plugin, my website doesn’t pass the HSTS test anymore. I expected this because I was reading that the combination of your plugin and a caching plugin may cause problems. To fix this, I checked the option which deactivates the rewriting of the header and pasted the displayed code into my .htaccess file. However, after doing this my website wasn’t accessible anymore and showed me a 500 internal server error. When I remove the code, everything is working again.
Do you have any idea on how to fix this so I can use both W3 Total Cache and your plugin?
Thanks!
]]>