Grade C

HTTP Headers

Name: HTTP Headers
Rating: 4.3 (70 reviews)
Author: Dimitar Ivanov

⤓ Download v1.19.5 on WordPress.org ↗

by Dimitar Ivanovupdated 2026-04-27🎲The Mixed Bag

Great for security audits but terrifying for your uptime.

Declining

66/100

Powerful security controls are available but the risk of fatal errors is high.

Loved19/40

Trustworthy13/15

Fair & Honest14/15

Maintained18/18

Momentum2/12

Active installs

~55,000

our estimate · wp.org shows 50k+

Rating

4.3★

70 ratings

Trend · vs a year ago

-26%

Declining fast

179 → 133 installs/day

What to watch out for

MINORreviews unevenly distributed over time
MINORdownloads down 26% vs a year ago

Downloads over time

real new installs per day · release spikes shown separately from the trend

2025-04-302025-08-082025-11-162026-02-232026-06-03

organicrelease spikerelease tailorganic trend · 14d rolling median

Declining fast · -26% in the last year

179/day a year ago→133/day today

Reviews

what people actually say

HTTP Headers is a well-regarded but technically demanding security-header plugin for WordPress, appreciated for its breadth of settings, though it is undermined by recurring site-crashing bugs, PHP 8.1 incompatibility, and a steep learning curve that makes it risky for non-expert users.

What people like

+Comprehensive set of HTTP security header options with inline documentation and links to external references×5
+Effective at helping sites achieve security compliance and better scores on tools like securityheaders.com×3
+Works reliably across custom themes, various plugins, and page builders when kept updated×2
+Easier than adding security headers manually×2
+Respects existing .htaccess content

Common complaints

−Saving settings causes a critical/fatal error or crashes the site outright, with no developer response to affected users×5
−Broken or incompatible with PHP 8.1 and recent WordPress releases×2
−Incompatible with Elementor — page editing breaks when the plugin is active
−NGINX users get no automatic header injection; directives must be manually copied into server config, which is not clearly documented
−Requires significant security expertise to configure safely; not suitable for beginners×3
−Poor UI navigation — no save button at the top of long settings screens, and text input fields for URLs are too small to manage comfortably×2
−Some settings (e.g. x-content-type-options) cannot be reset or undone once enabled, potentially causing persistent site errors
−No temporary disable feature, making it easy to lock yourself out when installing other plugins
−Plugin and help documentation are English-only, adding difficulty for non-English users

Review trustMostly organic

4.31★Verified rating — holds steady vs the raw 4.30★
4%One-shot reviewers — most reviewers are active community members
past spikeReview timing — up to 30% of all reviews landed in a single month

Reviews per month · 5★ vs lower

2023-08-192025-01-102026-06-04

5★ reviews1–4★ reviews

All-time ratings · 70 total

5★

4★

3★

2★

1★

Latest reviews · 70 analyzed

2025-08-31★★★★★Make Main and sub-domain site down ysc711
2025-04-29★★★★★worked exactly as promised except 2 fairshareitservices
2025-03-30★★★★★Easy to use and almost perfect sunb1
2024-09-23★★★★★Not compatible with Elementor RipRapRob
2024-05-11★★★★★effective plugin – save the x-content-type swampscrapper
2024-04-30★★★★★an exceptional plugin – needs updating Jonathan Jewell
2024-04-18★★★★★It works perfectly robertorefresh
2024-03-31★★★★★Marvelous Tool for various Security Header settings j0s6h
2023-09-16★★★★★Great addition to securing a site KrackMedia
2023-07-27★★★★★Nice!developersuha

Releases

recent versions from WordPress.org SVN

2026-04-27v1.19.5
2026-04-25v1.19.3
2026-04-25v1.19.4
2024-12-22v1.19.2
2024-08-08v1.19.1
2023-07-07v1.19.0
2023-06-11v1.18.11
2023-05-28v1.18.10

For developers & the curious

the raw signals behind the grade — none of this is on the friendly summary above

Download signals

Baselines are computed on organic days only — release spikes and their tails are excluded, so they're not inflated by the auto-update wave.

391

Baseline · median of last 7 organic days

232

Prior 7-day baseline

261

Floor · 25th percentile over 14 days

898

Mean release-day peak (30d)

414

Latest day · 2026-06-03(organic)

+68.5%

Week-over-week organic trend

Review signals

Concentration and drive-by metrics drive the review-burst and fake-review flags. 30–40% solo reviewers is normal; we only flag the extremes.

30%

Max month share · biggest single 30-day window

2.14

Distribution CV · <0.6 even, >1.5 bursty

73%

5★ share in analyzed sample

Solo reviewers · only this one wp.org activity

—

Volume velocity · last 6mo vs prior 6mo

4.31 → 4.31★

Sample avg · raw → solo-filtered