How to set X-Frame-Options Header in wordpress Site

Asked 10/6, 2015 at 8:4 Answered 6/3, 2023 at 15:15

I have hosted a website which is created using Wordpress.

I am getting a security alert saying "X-Frame-Options Header Not Set", but I can't figure out what that means.

Can anyone explain what this warning is about, and give me a solution on how to stop it from occuring?

Elinoreeliot answered 10/6, 2015 at 8:4 Comment(1)

Maybe you can use this? wordpress.org/support/topic/… – Birkenhead 10/6, 2015 at 8:13

Here's an easier one-liner to set X-Frame-Options SAMEORIGIN that works, add the following to the functions.php file in your current Wordpress theme:

add_action( 'send_headers', 'send_frame_options_header', 10, 0 );

Actuary answered 15/6, 2017 at 17:43 Comment(3)

This would be my preferred option as this can be added to your functions.php in the theme and doesnt require editing the WP core or the .htaccess file. – Rackrent 27/2, 2018 at 23:48

but you get an error when send_frame_options_header is already declared somewhere else in wp-includes/function.php - selecting a different name in your themes function.php does help neither, since you will have set multiple x-frame-options. you need somehow remove the initial headers.. but how to do that without touching the core functions.php (this should never be touched) – Padnag 8/2, 2023 at 20:54

I had to use 'init' instead of 'send_headers' to make this work. i.e. add_action('init', 'send_frame_options_header'); – Rathskeller 18/10, 2023 at 8:36

Option 1 : Go to wordpress-root/wp-includes/functions.php and search for "X-Frame-Options" and you will find the function

function send_frame_options_header() {
@header( 'X-Frame-Options: SAMEORIGIN' );
}

If X-Frame-Options is not defined inside your functions.php file, you just paste the code inside functions.php. To Prevent the site from cross-frame-scripting in Wordpress use X-Frame-Options to SAMEORIGIN.

Option 2:

Or you can set X-Frame-Options from the .htaccess file which is situated inside the root folder of wordpress. Just paste the below code inside .htaccess file.

Header set X-Frame-Options SAMEORIGIN

Pika answered 14/12, 2015 at 10:6 Comment(3)

Editing Wordpress core is heavily discouraged. There is a better solution. – Actuary 1/3, 2018 at 0:36

Never under any circumstances edit WordPress core or use Option 1. – Shellieshellproof 12/4, 2018 at 16:8

Why not use wp-config.php for this?? – Helicopter 6/3, 2023 at 15:13

I was having this error on a Multisite installation and it prevented subsites to show plugin details (when you click "View details" and it opens a popup).

I solved adding this to my wp-config.php:

header('X-Content-Security-Policy: frame-ancestors https://*.MYDOMAIN.com');
header('Content-Security-Policy: frame-ancestors https://*.MYDOMAIN.com');

Update:
This only works for subdomains, for alias domains I had to whitelist everything with https://*.

Helicopter answered 6/3, 2023 at 15:15 Comment(0)

In any PHP application the header can be set before page content is sent. This is done using the header function.

header('X-Frame-Options: SAMEORIGIN');

Yvetteyvon answered 18/5, 2018 at 5:11 Comment(0)

Recommended topics

Hot tags