You can remove the HTTP header
X-Frame-Options: SAMEORIGIN from WordPress by removing the
send_frame_options_header function from the
login_init hooks. For example, you can add the following to your theme’s
// WordPress Core remove_action('admin_init', 'send_frame_options_header'); remove_action('login_init', 'send_frame_options_header'); // Just in case remove_action('init', 'send_frame_options_header');
As seen in the code example, you should also use
remove_action for the
init hook just in case a plugin or a host’s mu-plugin has added the
X-Frame-Options: SAMEORIGIN header using the hook (init is a possible go-to hook for plugin developers).
If, after adding this code to your WordPress site, the X-Frame-Options header is still present, it could be that:
- A plugin is still adding the header to your site, and you need to search the codebase for the culprit.
- Your web server, such as Nginx or Apache, is adding the header outside of WordPress, and you need to edit your web server configuration as well.
Dare To CodeGet the tips, links, and tricks on full-stack PHP development in your inbox with monthly emails from Kevin Dees.
If you are not 100% sure you should remove the
X-Frame-Options: SAMEORIGIN header, do not remove it. The header adds a layer of security to your website that should not be removed unless you are replacing it with an alternative like the Content-Security-Policy header.
Why Is This Header Added To WordPress?
To prevent malicious websites from embedding your website as an iframe. Hackers can use iframe embeds to spy on your users or even break into an account when a site is not properly secured. The
X-Frame-Options: SAMEORIGIN keeps another web domain from embedding your website as an iframe.
However, there are times you might want to embed your WordPress site within another domain you control. Outright removing the X-Frame-Options header allows your site to be embedded on any domain, but this is not safe.
To maintain some level of security, if you plan to embed your WordPress site as an iframe on another domain you control or trust, when you remove the
X-Frame-Options header, include the header
As an example, if you want your site to allow it to be embedded on the domain example.com you can replace
X-Frame-Options with the following header instead:
Content-Security-Policy: "frame-ancestors 'self' example.com"