Question

Security Headers on WordPress Website

Posted May 8, 2020 184 views
UbuntuWordPressSecurity

Hi, I’m trying to add security headers on my site (recommended by a tool), and as I add the code to my .htaccess file, the site gives 500 internal error.

I followed two websites and none of the code seems to be working. Here is the error image and below are the site which I’m following.

https://www.webarxsecurity.com/https-security-headers-wp/
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/how-add-http-security-headers-wordpress/

Can anyone help in this matter?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers

Hello, @madhsudhan

The snippet of code might not be compatible with the installed version of Apache (2.2 or 2.4). What you can do is to add the code in the .htaccess file and then examine the apache error log to see the exact issue that is causing the problem.

You can examine the error log using this command:

tail -n 200 /var/log/apache2/error.log

This will print the last 200 logged rows in the error_Log file, if you do not see any errors you can increase the value and print more rows if needed. However if you add the snippet in the .htaccess file and then quickly access the site in order to produce the 500 error and then remove the code from the file you should be able to see the detailed error in the the log file using the command that I’ve provided.

Also you can check the Apache configuration for any syntax errors:

apachectl -t

or

apachectl configtest

Let me know how it goes.

Regards,
Alex

Thanks, @alexdo for responding. There aren’t any syntax errors, but when I generate the logs, I get some messages printing. I don’t know how to copy the text from the console, but I have attached the screenshot of what it looks like. I’m using a plugin for now, but it would be great to learn to implement security header in .htaccess rather than installing a plugin.

Log screenshot

edited by MattIPv4
  • Hello, @madhsudhan

    My assumption here will be that the headers module is not installed.

    You can check this using:

    apachectl -M | grep -i headers
    

    if can’t see the module then you can install it:

    a2enmod headers
    

    then check the config for syntax errors:

    apachectl -t
    

    and then restart apache to activate the new configuration:

    systemctl restart apache2
    

    Now if you grep for the module you will see the following output:

    root@sammy:~# apachectl -M | grep -i headers
     headers_module (shared)
    

    You can now add the headers in the .htaccess file and everything will work as expected!

    Let me know how it goes.

    Regards,
    Alex

Thanks, Alex. I did what you suggested, and installed the module. I don’t see any syntax errors, but by running:

apachectl -M | grep -i headers

I get the below message:

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
headers_moudle (shared)

Also, I’m getting the same 500 internal server error.

Submit an Answer