I have hosted a website which is created using Wordpress.
I am getting a security alert saying "X-Frame-Options Header Not Set", but I can't figure out what that means.
Can anyone explain what this warning is about, and give me a solution on how to stop it from occuring?
On
Here's an easier one-liner to set X-Frame-Options SAMEORIGIN that works, add the following to the functions.php file in your current Wordpress theme:
add_action( 'send_headers', 'send_frame_options_header', 10, 0 );
On
In any PHP application the header can be set before page content is sent. This is done using the header function.
header('X-Frame-Options: SAMEORIGIN');
I was having this error on a Multisite installation and it prevented subsites to show plugin details (when you click "View details" and it opens a popup).
I solved adding this to my wp-config.php:
header('X-Content-Security-Policy: frame-ancestors https://*.MYDOMAIN.com');
header('Content-Security-Policy: frame-ancestors https://*.MYDOMAIN.com');
Update:
This only works for subdomains, for alias domains I had to whitelist everything with https://*.
Option 1 : Go to wordpress-root/wp-includes/functions.php and search for "X-Frame-Options" and you will find the function
If X-Frame-Options is not defined inside your functions.php file, you just paste the code inside functions.php. To Prevent the site from cross-frame-scripting in Wordpress use X-Frame-Options to SAMEORIGIN.
Option 2:
Or you can set X-Frame-Options from the .htaccess file which is situated inside the root folder of wordpress. Just paste the below code inside .htaccess file.