How to set X-Frame-Options Header in wordpress Site

Question

I have hosted a website which is created using Wordpress.

I am getting a security alert saying "X-Frame-Options Header Not Set", but I can't figure out what that means.

Can anyone explain what this warning is about, and give me a solution on how to stop it from occuring?

Answer 1

In any PHP application the header can be set before page content is sent. This is done using the header function.

header('X-Frame-Options: SAMEORIGIN');

Answer 2

Option 1 : Go to wordpress-root/wp-includes/functions.php and search for "X-Frame-Options" and you will find the function

function send_frame_options_header() {
@header( 'X-Frame-Options: SAMEORIGIN' );
} 

If X-Frame-Options is not defined inside your functions.php file, you just paste the code inside functions.php. To Prevent the site from cross-frame-scripting in Wordpress use X-Frame-Options to SAMEORIGIN.

Option 2:

Or you can set X-Frame-Options from the .htaccess file which is situated inside the root folder of wordpress. Just paste the below code inside .htaccess file.

Header set X-Frame-Options SAMEORIGIN

Answer 3

I was having this error on a Multisite installation and it prevented subsites to show plugin details (when you click "View details" and it opens a popup).

I solved adding this to my wp-config.php:

header('X-Content-Security-Policy: frame-ancestors https://*.MYDOMAIN.com');
header('Content-Security-Policy: frame-ancestors https://*.MYDOMAIN.com');

Update:
This only works for subdomains, for alias domains I had to whitelist everything with https://*.

Answer 4

Here's an easier one-liner to set X-Frame-Options SAMEORIGIN that works, add the following to the functions.php file in your current Wordpress theme:

add_action( 'send_headers', 'send_frame_options_header', 10, 0 );