◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Prevent Content Sniffing
How to prevent content sniffing in WordPress
Content sniffing might sound technical (or just awkward), but ignoring it leaves your WordPress site exposed to avoidable threats. By taking one small step—adding a simple HTTP header—you can block this browser behavior and tighten your security instantly.
Let’s get into it.
What is content sniffing and why it’s a problem
Content sniffing is a browser behavior where the browser tries to guess a file’s content type based on its contents rather than trusting the server’s declared MIME type.
Most modern browsers try to “sniff” the content type of a file based on its content rather than trusting the server’s declared Content-Type. This behavior is meant to help when websites send incorrect MIME types, but it can also be exploited.
Here’s the risk: An attacker might upload a seemingly harmless file (like a .jpg) that actually contains JavaScript. If the browser sniffs it as a script instead of an image, it could execute malicious code in the user’s browser—triggering cross-site scripting (XSS) attacks or drive-by downloads.
To stop this, HTTP headers can tell the browser: “Don’t try to guess—just trust what I told you.” That’s where the X-Content-Type-Options: nosniff header comes in. It enforces strict MIME type handling, making it a lightweight but powerful security hardening tactic for any WordPress site.
1. Use a plugin to add the nosniff header
If you’re not comfortable editing server files or code, using a plugin is the safest and fastest method.
- In your WordPress dashboard, go to Plugins > Add New
- Search for Security Headers and install the plugin (or another well-rated security header plugin).
- After activation, go to Settings > HTTP Headers.
- Look for a checkbox labeled Disable Content Sniffing (or Enable X-Content-Type-Options).
- Check the box, then scroll down and click Save Changes.
That’s it. The plugin adds the nosniff header for you on every page load. To double-check, open your browser’s DevTools, go to the Network tab, click your homepage, and look under Response Headers.
This method is ideal for beginners or site owners who don’t want to touch configuration files. It’s also a quick win for WordPress multisite networks, where you might want a consistent policy applied across many subsites.
2. Add the nosniff header via .htaccess (for Apache servers)
If your WordPress site runs on an Apache server, you can add the header manually through the .htaccess file. This gives you more control and doesn’t rely on a plugin.
- Use an FTP client like FileZilla or log in to your hosting control panel’s file manager.
- Navigate to the root folder of your WordPress site. This is usually called public_html or might be a folder with your site’s name.
- Look for a file called .htaccess. If it’s hidden, make sure your FTP client or file manager is set to show hidden files.
- Open .htaccess in a plain-text editor (like Notepad++ or the code editor in cPanel).
- Scroll to the bottom and add the following lines:
<IfModule mod_headers.c>
Header always set X-Content-Type-Options “nosniff”
</IfModule> - Save the file and re-upload it if needed.
Make sure your server has the mod_headers module enabled. Most hosting environments do, but if you get a server error after saving the file, remove the code and contact your host for help.
You can now test your site using browser tools or SecurityHeaders.com to confirm the nosniff header is being sent.
3. Add the nosniff header via Nginx
If your server runs Nginx instead of Apache, you’ll need to configure the header directly in your Nginx server block.
- SSH into your server using a terminal app like PuTTY (for Windows) or Terminal (for macOS/Linux).
- Open the Nginx configuration file. It’s usually located at /etc/nginx/nginx.conf or in a site-specific file inside /etc/nginx/sites-available/.
- Inside the appropriate server block, add this line:
Inside the appropriate server block, add this line: add_header X-Content-Type-Options "nosniff";- Example
server { listen 80; server_name example.com; add_header X-Content-Type-Options "nosniff"; root /var/www/html; index index.php index.html; }- Save the file and reload Nginx to apply changes:
sudo systemctl reload nginx- Visit your website and check for the header using browser DevTools or run:
curl -I https://yourdomain.comYou should see:
X-Content-Type-Options: nosniffThis method gives you server-wide control over headers, making it a great fit for developers and anyone managing multiple WordPress installs on the same server.
Use a PHP function (advanced method)
If you want to inject the header directly from within WordPress, you can use the send_headers action. This is not recommended as your primary solution because some caching layers and CDNs might strip or override it, but it’s still worth knowing.
- In your WordPress admin, go to Appearance > Theme File Editor.
- Open your functions.php file (or use a custom plugin if you prefer).
- Add this code at the end:
add_action( 'send_headers', function() { header( 'X-Content-Type-Options: nosniff' ); });- Click Update File.
This will add the header on every page load, as long as nothing else removes or overrides it. Test using browser tools or curl to confirm it’s active.
Note: If you’re using aggressive caching, object cache, or a CDN, this method may not consistently apply the header. Use server-level or plugin-level options if you need reliability.
How to verify the header is working
Whether you used a plugin, .htaccess, Nginx, or PHP, you should always confirm that the header is being sent correctly.
Here’s how:
- Open your site in Chrome.
- Right-click and select Inspect, then go to the Network tab.
- Reload your page.
- Click on the first file that loads (usually your homepage).
- Look under Response Headers and check for:
X-Content-Type-Options: nosniff
Alternatively, use:
curl -I https://yourdomain.com
Or visit SecurityHeaders.com, enter your URL, and look for a green checkmark next to the nosniff header.
Combine with other secure headers for better protection
X-Content-Type-Options is just one of many HTTP headers that help secure a WordPress site. For a more robust defense, consider enabling these as well:
- X-Frame-Options: SAMEORIGIN – blocks clickjacking.
- Strict-Transport-Security: max-age=31536000; includeSubDomains; preload – enforces HTTPS.
- Content-Security-Policy – controls where scripts and content can load from.
- Referrer-Policy: no-referrer-when-downgrade – controls referrer data in requests.
Many of these can be enabled through the same Security Headers plugin or by extending your server configuration.
Bonus: Restrict unsafe MIME types in uploads
To take MIME security even further, limit which file types can be uploaded to your site. WordPress uses the upload_mimes filter to control this.
Here’s how to allow only safe types like images and PDFs:
function restrict_upload_mimes( $mimes ) { return [ 'jpg' => 'image/jpeg', 'jpeg' => 'image/jpeg', 'png' => 'image/png', 'gif' => 'image/gif', 'pdf' => 'application/pdf', ]; } add_filter( 'upload_mimes', 'restrict_upload_mimes' );You can also block PHP execution inside /wp-content/uploads/ by adding this to an .htaccess file in that directory:
<FilesMatch "\.php$"> Deny from all </FilesMatch>This prevents attackers from running scripts even if they somehow manage to upload them.
Next steps for preventing content sniffing in WordPress
Content sniffing might seem like a niche problem, but it opens the door to real security threats. Blocking it is fast, easy, and completely free—making it one of the best low-effort, high-impact actions you can take to harden your site.
Start with the method that matches your skill level and server type. Then test your site to confirm it’s working, and consider combining nosniff with other security headers for layered protection.
Ready to upgrade your WordPress experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.
Don’t want to deal with server management and maintenance? Our fully managed hosting for WordPress is the best in the industry. Our team are not only server IT experts, but WordPress hosting experts as well. Your server couldn’t be in better hands.
Click through below to explore all of our hosting for WordPress options, or chat with a WordPress expert right now to get answers and advice.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
WordPress vulnerability scanners →
Learn how a WordPress vulnerability scanner protects your site by detecting and addressing security risks early.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.