By using strict-transport-security, you can force all current web browsers such as Google Chrome, Firefox and Safari to only communicate with a website via HTTPS. So if an attacker tried to open a WordPress website over HTTP, the web browser would not load the page.