WordPress HTTP Headers Plugin – X-Frame-Options

The HTTP Headers plugin can set X-Frame-Options to specify whether your WordPress website can be displayed within other websites via the <frame>, <iframe>, <object>, or <embed> tags. Enabling this feature will create Header set X-Frame-Options "[OPTION]" within your .htaccess file for WordPress security against clickjacking.

Enable X-Frame-Options

  1. Install, and activate, the HTTP Headers plugin using your WordPress dashboard or WP-CLI.
  2. Log in to your WordPress dashboard.
  3. On the left, hover over Settings and click HTTP Headers.
  4. Click the Security (0/15) button.
  5. Click Edit beside X-Frame-Options.
  6. Click “On” and specify an option from the drop-down menu:
    DENY – webpages cannot be displayed in a frame
    SAMEORIGIN – webpages can be framed in the same webpage
    ALLOW-FROM – webpages can be framed within the same URI; doesn’t work in newer browsers.
  7. Click Save Changes.
  8. Click Security at the top to return to the security options. You’ll see your specified option on the X-Frame-Options line.

Note: Mozilla recommends using the superseding Content Security Policy frame-ancestors attribute instead.

Want to secure your web server as well? Learn more about how our managed VPS Hosting can assist your goals.

Was this article helpful? Let us know!