Raddy Website Design & Development Tutorials

WordPress AWS LightSail Security Headers

By Raddy in Other ·

HTTP Security Headers are a set of HTTP headers that provide additional security for web servers, browsers, and internet service providers. They are used to protect against various attacks, such as cross-site scripting and clickjacking.

This is a step-by-step guide on how to install Security Headers in AWS Lightsail using a WordPress instance.

How to scan for Security Headers

Navigate to Securityheaders.com and simply enter the website that you want to check. The scan will give you a full report of your security headers and also score. If your score is not good enough carry on reading this article.

website security headers a+

Warning! Changing server settings could break your website. Always Snapshot / Backup your server files before you proceed with the configuration below.


To make this work you’ll need SSH access and FTP File Manager.

1) Enable .HTACCESS

Note that this is not the .htaccess file that you have in your WordPress directory. We are interested in the .htaccess file under Apache2.

Using FTP File Manager navigate to the following folder and download the “wordpress-vhost.conf” file on your computer.


Open the file in your favourite code editor and edit the following:

AllowOverride None

change to

AllowOverride All

Save the file.

Important step: Instead of re-uploading the file and overwriting the old one, you need to either remove the old one or rename it. Just in case you can rename the original file to something like “wordpress-vhost.conf_original”.

Now upload the newly modified file from your computer back to the server.


2) Enable .HTACCESS

Navigate to the “/opt/bitnami/apache/conf/vhosts/htaccess/” folder and download the “wordpress-htaccess.conf” file on your computer.


Open the “wordpress-htaccess.conf” file and add the following Security Headers at the bottom after the last “</Directory>” closing tag.

<Directory "/opt/bitnami/wordpress">
  <IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header set Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
	Header set X-Content-Type-Options nosniff
	Header set X-DNS-Prefetch-Control "on"
	Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "same-origin"
	Header set Content-Security-Policy "upgrade-insecure-requests;"

Headers Source: https://towardsthecloud.com/hardening-wordpress-amazon-lightsail

Note that some of the settings may not work for your website setup. You can test them one by one and experiment by changing the values.

In this example, the Permission-Policy is disabling the camera, microphone and geolocation. This means that none of the JavaScript running on the page will be able to access and run these APIs. There are a lot more directives that can be controlled such as autoplay, fullscreen, geolocation and so on.

If you want to learn about each Security Header I made another article which has the explanations – Set HTTP Security Headers Apache WHM

2) Restart Apache

Open the Terminal and run the following command to restart Apache.

Tip: You can use the Terminal inside Lightsail to do that.

sudo /opt/bitnami/ctlscript.sh restart apache

That’s it. Clean your website cache and re-check your Security Headers – Securityheaders.com 

I hope that this guide works for you. Let me know in the comments below if you found it helpful.

More Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.