Preventing Clickjacking on WordPress Sites

WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site.

That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton to send the header for all pages, except those that are specifically excluded.

Note that if you’re using static page caching, the `wp_headers` filter won’t be called. In that case, it’s better to set it at the web server layer.

2 thoughts on “Preventing Clickjacking on WordPress Sites

  1. Here’s an easier one-liner that works:
    add_action( ‘send_headers’, ‘send_frame_options_header’, 10, 0 );

Leave a Reply

Your email address will not be published. Required fields are marked *