How do I fix x content type options weak on WordPress.org?

Install the 'HTTP Headers' plugin or 'Solid Security' (formerly iThemes Security) from WordPress Admin → Plugins → Add New. Solid Security path: WordPress Admin → Security → Settings → Security Check → or search 'Security Headers' within the plugin — enable `X-Content-Type-Options: nosniff`. If your host (e.g. WP Engine, Kinsta, SiteGround) already injects this header at the server level, do NOT also add it via plugin — check your host's dashboard or contact support to confirm. Verify with DevTools or securityheaders.com.

How to fix x content type options weak on WordPress.org

Set the X-Content-Type-Options response header to exactly `nosniff` (once, not duplicated) on every page and asset your store serves.

Steps for WordPress.org

Install the 'HTTP Headers' plugin or 'Solid Security' (formerly iThemes Security) from WordPress Admin → Plugins → Add New.
Solid Security path: WordPress Admin → Security → Settings → Security Check → or search 'Security Headers' within the plugin — enable `X-Content-Type-Options: nosniff`.
If your host (e.g. WP Engine, Kinsta, SiteGround) already injects this header at the server level, do NOT also add it via plugin — check your host's dashboard or contact support to confirm.
Verify with DevTools or securityheaders.com.

Official WordPress.org documentation ↗

X-Content-Type-Options: nosniff

What is x content type options weak?

The `X-Content-Type-Options` HTTP response header is a one-line security instruction your web server sends to every visitor's browser. When set to `nosniff`, it tells the browser to trust the declared file type (e.g. "this is CSS" or "this is an image") and never try to guess or override it. A misconfigured header — such as sending the value twice (`nosniff, nosniff`), sending an empty value, or omitting it entirely — means the browser may ignore the instruction. This is classified as a Security Misconfiguration under OWASP A05:2021.

Without a valid `nosniff` directive, a browser may "MIME-sniff" a response — meaning it inspects the actual content of a file to decide what type it really is, overriding what your server declared. Attackers can exploit this to disguise a malicious script as an innocent image or text file; if a browser sniffs it and runs it as JavaScript, your customers can be exposed to cross-site scripting (XSS) attacks that steal payment data, session tokens, or account credentials. Beyond the direct security risk, this misconfiguration is flagged by security scanners and PCI-DSS auditors, and a duplicate or malformed header value (like `nosniff, nosniff`) signals misconfigured infrastructure that may undermine trust with both auditors and customers.

See the complete X content type options weak guide for every platform and the full background.

Not sure if your WordPress.org store has this?

Run a free SEOLZ audit — we’ll find x content type options weak and every other issue across your whole site.

Scan my site free

How to fix x content type options weak on WordPress.org

Steps for WordPress.org

What is x content type options weak?

Not sure if your WordPress.org store has this?

Fix x content type options weak on another platform