For this step, you should be comfortable with FTP and editing the .htaccess file. If not, simply skip this for now.
1. In your browser, navigate to Security Headers and scan the site. All you have to know about security headers is nicely explained in that report.
2. Find the file .htaccess – should be in the root directory of your site – and copy (FTP) it to your local machine. Make an extra backup copy; if something goes wrong during this procedure simply FTP the original file back.
3. In the .htaccess file, after “# END WordPress”, add:
# Use Security Headers
Header set Strict-Transport-Security: "max-age=31536000; includeSubdomains; preload");
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy: strict-origin
Header set Content-Security-Policy: "frame-ancestors 'self';"
Header set Feature-Policy: "usb 'none'; microphone 'none'; camera 'none'"
Header set X-Content-Type-Options: nosniff
4. FTP the modified .htaccess to the site. Changes are immediate, check the site to see if it still looks the same as before.
5. Navigate to Security Headers and scan the site again. If everything went well you should get A or A+ score.