Table of contents

What is content sniffing and why it’s a problem 1. Use a plugin to add the nosniff header 2. Add the nosniff header via .htaccess (for Apache servers) 3. Add the nosniff header via Nginx Use a PHP function (advanced method) How to verify the header is working Combine with other secure headers for better protection Bonus: Restrict unsafe MIME types in uploads Getting started Additional resources

Get the industry’s fastest hosting for WordPress ◦ 99.999% uptime
◦ Comprehensive security
◦ 24/7 support

WordPress Guide → Security → Prevent Content Sniffing

How to prevent content sniffing in WordPress

Content sniffing might sound technical (or just awkward), but ignoring it leaves your WordPress site exposed to avoidable threats. By taking one small step—adding a simple HTTP header—you can block this browser behavior and tighten your security instantly.

Let’s get into it.

What is content sniffing and why it’s a problem

Content sniffing is a browser behavior where the browser tries to guess a file’s content type based on its contents rather than trusting the server’s declared MIME type.

Most modern browsers try to “sniff” the content type of a file based on its content rather than trusting the server’s declared Content-Type. This behavior is meant to help when websites send incorrect MIME types, but it can also be exploited.

Here’s the risk: An attacker might upload a seemingly harmless file (like a .jpg) that actually contains JavaScript. If the browser sniffs it as a script instead of an image, it could execute malicious code in the user’s browser—triggering cross-site scripting (XSS) attacks or drive-by downloads.

To stop this, HTTP headers can tell the browser: “Don’t try to guess—just trust what I told you.” That’s where the X-Content-Type-Options: nosniff header comes in. It enforces strict MIME type handling, making it a lightweight but powerful security hardening tactic for any WordPress site.

1. Use a plugin to add the nosniff header

If you’re not comfortable editing server files or code, using a plugin is the safest and fastest method.

In your WordPress dashboard, go to Plugins > Add New
Search for Security Headers and install the plugin (or another well-rated security header plugin).
After activation, go to Settings > HTTP Headers.
Look for a checkbox labeled Disable Content Sniffing (or Enable X-Content-Type-Options).
Check the box, then scroll down and click Save Changes.

That’s it. The plugin adds the nosniff header for you on every page load. To double-check, open your browser’s DevTools, go to the Network tab, click your homepage, and look under Response Headers.

This method is ideal for beginners or site owners who don’t want to touch configuration files. It’s also a quick win for WordPress multisite networks, where you might want a consistent policy applied across many subsites.

2. Add the nosniff header via .htaccess (for Apache servers)

If your WordPress site runs on an Apache server, you can add the header manually through the .htaccess file. This gives you more control and doesn’t rely on a plugin.

Use an FTP client like FileZilla or log in to your hosting control panel’s file manager.
Navigate to the root folder of your WordPress site. This is usually called public_html or might be a folder with your site’s name.
Look for a file called .htaccess. If it’s hidden, make sure your FTP client or file manager is set to show hidden files.
Open .htaccess in a plain-text editor (like Notepad++ or the code editor in cPanel).
Scroll to the bottom and add the following lines:
<IfModule mod_headers.c>
Header always set X-Content-Type-Options “nosniff”
</IfModule>
Save the file and re-upload it if needed.

Make sure your server has the mod_headers module enabled. Most hosting environments do, but if you get a server error after saving the file, remove the code and contact your host for help.

You can now test your site using browser tools or SecurityHeaders.com to confirm the nosniff header is being sent.

3. Add the nosniff header via Nginx

If your server runs Nginx instead of Apache, you’ll need to configure the header directly in your Nginx server block.

SSH into your server using a terminal app like PuTTY (for Windows) or Terminal (for macOS/Linux).
Open the Nginx configuration file. It’s usually located at /etc/nginx/nginx.conf or in a site-specific file inside /etc/nginx/sites-available/.
Inside the appropriate server block, add this line:

Inside the appropriate server block, add this line:  add_header X-Content-Type-Options "nosniff";

Example

server {   listen 80;   server_name example.com;   add_header X-Content-Type-Options "nosniff";   root /var/www/html;   index index.php index.html; }

Save the file and reload Nginx to apply changes:

sudo systemctl reload nginx

Visit your website and check for the header using browser DevTools or run:

curl -I https://yourdomain.com

You should see:

X-Content-Type-Options: nosniff

This method gives you server-wide control over headers, making it a great fit for developers and anyone managing multiple WordPress installs on the same server.

Use a PHP function (advanced method)

If you want to inject the header directly from within WordPress, you can use the send_headers action. This is not recommended as your primary solution because some caching layers and CDNs might strip or override it, but it’s still worth knowing.

In your WordPress admin, go to Appearance > Theme File Editor.
Open your functions.php file (or use a custom plugin if you prefer).
Add this code at the end:

add_action( 'send_headers', function() {     header( 'X-Content-Type-Options: nosniff' ); });

Click Update File.

This will add the header on every page load, as long as nothing else removes or overrides it. Test using browser tools or curl to confirm it’s active.

Note: If you’re using aggressive caching, object cache, or a CDN, this method may not consistently apply the header. Use server-level or plugin-level options if you need reliability.

How to verify the header is working

Whether you used a plugin, .htaccess, Nginx, or PHP, you should always confirm that the header is being sent correctly.

Here’s how:

Open your site in Chrome.
Right-click and select Inspect, then go to the Network tab.
Reload your page.
Click on the first file that loads (usually your homepage).
Look under Response Headers and check for:
X-Content-Type-Options: nosniff

Alternatively, use:

curl -I https://yourdomain.com

Or visit SecurityHeaders.com, enter your URL, and look for a green checkmark next to the nosniff header.

Combine with other secure headers for better protection

X-Content-Type-Options is just one of many HTTP headers that help secure a WordPress site. For a more robust defense, consider enabling these as well:

X-Frame-Options: SAMEORIGIN – blocks clickjacking.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload – enforces HTTPS.
Content-Security-Policy – controls where scripts and content can load from.
Referrer-Policy: no-referrer-when-downgrade – controls referrer data in requests.

Many of these can be enabled through the same Security Headers plugin or by extending your server configuration.

Bonus: Restrict unsafe MIME types in uploads

To take MIME security even further, limit which file types can be uploaded to your site. WordPress uses the upload_mimes filter to control this.

Here’s how to allow only safe types like images and PDFs:

function restrict_upload_mimes( $mimes ) {     return [         'jpg'  => 'image/jpeg',         'jpeg' => 'image/jpeg',         'png'  => 'image/png',         'gif'  => 'image/gif',         'pdf'  => 'application/pdf',     ]; } add_filter( 'upload_mimes', 'restrict_upload_mimes' );

You can also block PHP execution inside /wp-content/uploads/ by adding this to an .htaccess file in that directory:

<FilesMatch "\.php$">   Deny from all </FilesMatch>

This prevents attackers from running scripts even if they somehow manage to upload them.

Next steps for preventing content sniffing in WordPress

Content sniffing might seem like a niche problem, but it opens the door to real security threats. Blocking it is fast, easy, and completely free—making it one of the best low-effort, high-impact actions you can take to harden your site.

Start with the method that matches your skill level and server type. Then test your site to confirm it’s working, and consider combining nosniff with other security headers for layered protection.

Ready to upgrade your WordPress experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.

Don’t want to deal with server management and maintenance? Our fully managed hosting for WordPress is the best in the industry. Our team are not only server IT experts, but WordPress hosting experts as well. Your server couldn’t be in better hands.

Click through below to explore all of our hosting for WordPress options, or chat with a WordPress expert right now to get answers and advice.