Enabling Clickjacking Protection (X-Frame-Options) in WordPress

Jeff Matson
  • Updated

Embedding a website inside another is one way that attackers may try to steal information. To avoid having your website embedded into another, modern web browsers are equipped to read an X-Frame-Options header to determine if the embed is allowed.

By default, WordPress enables this header on admin and login pages, but leaves everywhere else up to you. Since the default WordPress behavior doesn’t cover the front-end of your site, things such as forms or login pages that are outside of your WordPress admin still need to be protected.

In this article, we’ll show you how to help protect the front end of your WordPress site from clickjacking attacks by using the X-Frame-Options header.

Enabling Clickjacking Protection (X-Frame-Options) with the Security Headers Plugin

  1. Begin by logging into your WordPress admin.
  2. Next, install and activate the Security Headers plugin.

    install-security-headers-plugin.png

  3. Now that the plugin has been installed, access the plugin’s option by hovering over Settings, then clicking on HTTP Headers on the left side menu.

    settings-http-headers-menu.png

  4. To enable the X-Frame-Options header, enable the checkbox labeled Restrict Framing of Main Site.

    restrict-framing-main-site-headers.png

  5. Finally, save your settings by scrolling down to the bottom of the page and clicking on Save Changes.

    save-content-sniffing-settings.png