HTTP Headers Plugin for WordPress: X-Frame-Options

The HTTP Headers plugin can set X-Frame-Options to specify whether your WordPress website can be displayed within other websites via the <frame>, <iframe>, <object>, or <embed> tags. Enabling this feature will create Header set X-Frame-Options "[OPTION]" within your .htaccess file for WordPress security against clickjacking.

Enable X-Frame-Options

  1. Install, and activate, the HTTP Headers plugin using your WordPress dashboard or WP-CLI.
  2. Log in to your WordPress dashboard.
  3. On the left, hover over Settings and click HTTP Headers.
  4. Click the Security (0/15) button.
  5. Click Edit beside X-Frame-Options.
  6. Click “On” and specify an option from the drop-down menu:
    DENY – webpages cannot be displayed in a frame
    SAMEORIGIN – webpages can be framed in the same webpage
    ALLOW-FROM – webpages can be framed within the same URI; doesn’t work in newer browsers.
  7. Click Save Changes.
  8. Click Security at the top to return to the security options. You’ll see your specified option on the X-Frame-Options line.

Note: Mozilla recommends using the superseding Content Security Policy frame-ancestors attribute instead.

Want to secure your web server as well? Learn more about how our managed VPS Hosting can assist your goals.

Thoughts on “HTTP Headers Plugin for WordPress: X-Frame-Options

  • “On the left, hover over Settings and click HTTP Headers.”
    Sorry, this option doesn’t exist. I have General/Writing/Reading/Discussion/Media/Permalinks/Privacy”…

    • Hello and thanks for contacting us. I checked and the plugin options should show under the Settings section once activated. If not, you can always access the plugin settings from the Installed Plugins menu.

Was this article helpful? Let us know!