Back to Community
Home / Community / PluginReally simple security

Why Your Site Health Shows Missing Security Headers (And How to Fix It)

23 threads Sep 9, 2025 PluginReally simple security

Content

If you use the Really Simple SSL plugin, you might have encountered a confusing notice in your WordPress Site Health screen stating that your site is missing recommended security headers, even if you're sure they are configured. This is a common point of confusion, and this guide will help you understand why it happens and how to resolve it.

What Are Security Headers?

Security headers are directives sent by your web server to a user's browser. They help enhance your website's security by controlling behavior like forcing HTTPS, preventing clickjacking, and stopping content from being loaded from untrusted sources. Common headers include HTTP Strict Transport Security (HSTS), X-Frame-Options, and Content-Security-Policy.

Why Does the "Missing Headers" Notice Appear?

Based on community reports, the notice typically appears for a few key reasons:

  • Cached Notice: The Site Health status caches its results for performance. Even after you correctly add headers, it can take time (sometimes up to a week) for the notice to clear automatically.
  • Hosting Configuration: Some web hosts do not support setting security headers via the .htaccess file. If the server isn't configured to process these directives, the headers will not be active, and the notice will remain.
  • .htaccess Errors: Incorrect syntax in the .htaccess file when adding headers can cause a 500 Internal Server Error, preventing the site from loading until the error is fixed.
  • Manual Configuration Required: The free version of Really Simple SSL focuses on SSL activation and redirection. Adding many security headers is often a manual process or a feature available in the Pro version.

How to Troubleshoot and Fix the Issue

Follow these steps to diagnose and resolve the missing headers notice.

Step 1: Verify Headers Are Actually Working

Your first step should always be to check if the headers are being sent to browsers, regardless of what WordPress says. Use a third-party tool like SecurityHeaders.com to scan your website's URL.

  • If the tool shows your headers as green and present, your headers are working correctly. The Site Health notice is likely cached and will disappear on its own. You can try to force a cache clear by re-saving your Really Simple SSL settings.
  • If the tool shows headers as missing, you need to configure them.

Step 2: Add Headers to Your .htaccess File

If your headers are missing, you can add them manually to your .htaccess file. The Really Simple SSL team provides a comprehensive guide with the code needed for each header.

Important: Always back up your .htaccess file before making changes. Add the code in the following format, placing it before the # BEGIN WordPress line:

# Begin Security Headers
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-XSS-Protection "1; mode=block"
  # Add other headers here
</IfModule>
# End Security Headers

Step 3: Check for .htaccess Conflicts or Errors

If adding the code causes a 500 Internal Server Error, it indicates a syntax error or a server configuration issue.

  • Double-check your code for typos or missing quotes.
  • Ensure your web host supports the mod_headers Apache module, which is required for these directives to work.
  • If your host does not support .htaccess headers, you may need to contact their support or explore alternative methods, such as setting headers in a redirection plugin or directly in the server configuration (which often requires host assistance).

Step 4: Be Patient with the Cache

Once you have verified via a tool like SecurityHeaders.com that your headers are active, you may still see the notice in WordPress. This is normal. The cache will clear itself, and the notice will disappear, usually within a few days.

When to Seek Further Help

If you have confirmed your headers are working via an external tool but the WordPress notice persists for an extended period, it may be a minor bug. The Really Simple SSL team has indicated that updates to the plugin often include fixes for how these notices are cached and displayed.

If you are trying to configure advanced headers like a full Content Security Policy (CSP) or Permissions-Policy, note that these are typically part of the Pro version's feature set. For issues related to these premium features, you would need to contact the plugin's support team directly.

By following these steps, you can confidently determine if your security headers are truly missing or if you're just seeing a cached notice, ensuring your site remains secure and functional.

Related Support Threads Support