How to fix Subdomain Doesn't Support HSTS SEMrush audit

Fix 2 Subdomain Doesn’t Support HSTS on WordPress

Table of Contents

How to fix Subdomain Doesn’t Support HSTS:  If you’ve been on the hunt to boost your website’s security, you’ve likely come across HSTS – HTTP Strict Transport Security. This web security policy tool protects your site against protocol downgrade attacks and cookie hijacking. However, implementing HSTS on WordPress sites can sometimes be a tricky business. If your website domain doesn’t support HSTS, fear not! We have two effective methods to help you fix this:

What is HSTS?

Before we dive in, it’s essential to understand HSTS. HTTP Strict Transport Security (HSTS) is a web security policy that ensures web browsers interact with websites only through secure HTTPS connections, offering an additional layer of protection against downgrade attacks.

How to fix “Subdomain Doesn’t Support HSTS” using WordPress Plugins

  1. Introduction to Security Headers: The Security Headers plugin offers an easy solution for WordPress users to set the necessary HSTS headers without diving into the nitty-gritty of server configurations.
  2. Installation:
    • Navigate to your WordPress dashboard.
    • Go to ‘Plugins’ > ‘Add New’.
    • Search for ‘Security Headers’.
    • Click ‘Install’ and then ‘Activate’ for the “Security Headers” plugin.
  3. Configuration:
    • Once activated, navigate to the plugin settings.
    • Ensure that you configure it to send the HSTS header. The intuitive interface will guide you through the process.
  4. Testing: After setting up, it’s a good practice to test if your subdomain now sends the HSTS header. Tools like SecurityHeaders can assist you in checking.

Fix Subdomain Doesn't Support HSTS by Editing .htaccess file

Understanding .htaccess: The .htaccess file is a server configuration file used by sites running on Apache servers. It can control and manage the behavior of your site, and, importantly for our purpose, can be utilized to implement HSTS on subdomains.

Steps to Implement:

  1.  Log in to your website’s file manager or use an FTP client.
  2. Navigate to the root directory of your website and locate the .htaccess file.
  3.  Take a backup before making any edits (very crucial).
  4.  Open the file for editing and add the following lines below.
  5. Save and close the file.
					<If "%{REQUEST_SCHEME} == 'https' || %{HTTP:X-Forwarded-Proto} == 'https'">
    Header set Strict-Transport-Security "max-age=31536000"


  • Provides more control over the server settings.
  • Doesn’t rely on plugins, hence less bloat.

Still Facing Issues? We’re Here to Help!

We understand that web security can be daunting, especially when dealing with protocols and server settings. If you’ve tried both methods and still face problems, don’t hesitate to contact obzsar for specialized assistance.

Remember, security is paramount in today’s digital age. Ensuring that your WordPress site, including its subdomains, supports HSTS is a great step in the right direction. Choose the method that’s most comfortable for you and give your website the security boost it deserves.

FAQ on Subdomain Doesn't Support HSTS

HSTS stands for HTTP Strict Transport Security. It’s a web security policy mechanism that ensures web browsers interact only using secure HTTPS connections, never the insecure HTTP protocol. This protects websites against protocol downgrade attacks and cookie hijacking.

HSTS ensures that user data remains encrypted and prevents man-in-the-middle attacks. By implementing HSTS on your subdomain, you’re ensuring a safer browsing experience for your visitors.

Yes, the Security Headers plugin is designed specifically to assist with the setup of security headers, including HSTS, making it easier for WordPress users.

For those unfamiliar with server files or who prefer a straightforward solution, using the Security Headers WordPress plugin (Method One) is recommended. It offers a user-friendly interface to set up HSTS without dealing with server configurations directly.

Always make a backup of your .htaccess file before making any changes. If you encounter any issues, you can revert to the original file. If you’re unsure about the process, seek professional help or opt for the plugin method.

You can use online tools like SecurityHeaders to check if your subdomain is sending the HSTS header correctly

The max-age directive specifies the duration (in seconds) that the browser should remember that the domain is only accessible over HTTPS. 31536000 seconds equates to one year. The includeSubDomains directive ensures that the rule applies to all subdomains as well.

While it’s technically possible, it’s not recommended. Using both methods may lead to conflicts or duplicate headers. Choose one method based on your comfort level and preference.

Ensure all your resources (images, scripts, styles) are loaded over HTTPS. If any are loaded over HTTP, they might be blocked, causing parts of your site to not load or display correctly.

Obzsar is a leading digital marketing agency that specializes in providing top-notch solutions in web designSEOcontent writinggraphic design, and PPC marketing. Our company is committed to delivering exceptional digital marketing services to clients across different industries.

We can assist with HSTS implementation and related challenges. With our team of highly skilled and experienced professionals, we strive to help businesses achieve their online marketing goals and objectives. Our approach to digital marketing is centered around the needs of our clients, and we work collaboratively to develop customized solutions that meet their specific requirements.

4 thoughts on “Fix 2 Subdomain Doesn’t Support HSTS on WordPress”

  1. Support Blood Sugar

    I loved you more than words can explain. Your image is lovely and your writing is eloquent, yet you read it quickly. I think you should try again soon. If you make this travel safe, I’ll probably do it again.

  2. You could never find the words to describe how much I loved you. No matter how beautiful the picture is or how polished your writing is, you read it quickly. To be honest, I think you should give it another chance soon. I will probably try to go on this hike again and again if you make sure it is safe.

  3. Gayle King Keto Supplement

    I do not even know how I ended up here but I thought this post was great I do not know who you are but certainly youre going to a famous blogger if you are not already Cheers

  4. I was recommended this website by my cousin. I am not sure whether this post is written by him as nobody else know such detailed about my trouble. You are amazing! Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top