CSP for WordPress

Drop in our MU-plugin and ship a policy generated from your real WordPress site.

WordPress plugins, themes, and Gutenberg blocks all inject scripts at runtime — and most of them change on their own schedule. Consepo scans the rendered output, generates a policy, and exports a drop-in MU-plugin that ships the headers for you.

WordPress is one of the hardest places to maintain a CSP by hand: every theme update, every new plugin, every block embed can shift what loads. Consepo's WordPress export is built for that — an editable Must-Use plugin with per-directive arrays, generated from a real browser crawl of your live site.

  • Real-browser scans capture what plugins, blocks, and themes actually load.
  • Drop the generated MU-plugin into wp-content/mu-plugins/ — headers ship instantly.
  • Re-scan after plugin updates to catch new origins before they break enforcement.
Run a free scan See plans

Need the standard behind the workflow? Read the W3C CSP Level 3 specification.

Consepo Workflow

WordPress deployment

  • 1Browser-rendered crawl of pages, posts, and archives
  • 2Editable MU-plugin with per-directive arrays
  • 3Compatible with WP Engine, Pressable, and self-hosted stacks
  • 4Re-scan loop tied to plugin and theme updates

Stop fighting the plugin grab-bag

Most WordPress sites run dozens of plugins, each with its own script footprint. The crawl inventories what runs today, so the policy isn't out of date the moment you deploy it.

Ship headers without server access

The MU-plugin sets headers from PHP, which works on hosts where you can't touch nginx or Apache config — including managed WordPress platforms.

Catch theme and plugin drift

Updates change the script mix. Consepo's monitoring and re-scan workflow flags new origins so the policy keeps up with WordPress's release cadence, not the other way around.

Workflow

How this fits the Consepo rollout

Step 1

Scan the live WordPress site

A rendered crawl visits posts, pages, archives, and any custom post types you point it at, recording the scripts and styles each one loads.

Step 2

Export the MU-plugin

Download a ready-to-edit Must-Use plugin with directive arrays you can extend, and drop it into wp-content/mu-plugins/.

Step 3

Iterate after updates

After plugin or theme updates, re-scan and let monitoring surface new origins before they cause violations in production.

Deliverables

What teams get out of it

  • A drop-in MU-plugin generated from your live site
  • Per-directive arrays you can extend in PHP
  • A workflow built around WordPress's update cadence

Next step

Scan the site, review the evidence, and move toward an enforceable CSP.

Consepo is built to help teams go from first crawl to stable policy rollout without guessing which sources belong in the final header.

Create accountBack to overview