You can remove the HTTP header X-Frame-Options: SAMEORIGIN
from WordPress by removing the send_frame_options_header
function from the admin_init
and login_init
hooks. For example, you can add the following to your theme’s functions.php
file:
// WordPress Core
remove_action('admin_init', 'send_frame_options_header');
remove_action('login_init', 'send_frame_options_header');
// Just in case
remove_action('init', 'send_frame_options_header');
As seen in the code example, you should also use remove_action
for the init
hook just in case a plugin or a host’s mu-plugin has added the X-Frame-Options: SAMEORIGIN
header using the hook (init is a possible go-to hook for plugin developers).
If, after adding this code to your WordPress site, the X-Frame-Options header is still present, it could be that:
- A plugin is still adding the header to your site, and you need to search the codebase for the culprit.
- Your web server, such as Nginx or Apache, is adding the header outside of WordPress, and you need to edit your web server configuration as well.
Dare To Code
Get the tips, links, and tricks on full-stack PHP development in your inbox from me: Kevin Dees.
"*" indicates required fields
Security Concerns
If you are not 100% sure you should remove the X-Frame-Options: SAMEORIGIN
header, do not remove it. The header adds a layer of security to your website that should not be removed unless you are replacing it with an alternative like the Content-Security-Policy header.
Why Is This Header Added To WordPress?
To prevent malicious websites from embedding your website as an iframe. Hackers can use iframe embeds to spy on your users or even break into an account when a site is not properly secured. The X-Frame-Options: SAMEORIGIN
keeps another web domain from embedding your website as an iframe.
However, there are times you might want to embed your WordPress site within another domain you control. Outright removing the X-Frame-Options header allows your site to be embedded on any domain, but this is not safe.
To maintain some level of security, if you plan to embed your WordPress site as an iframe on another domain you control or trust, when you remove the X-Frame-Options
header, include the header Content-Security-Policy
instead.
As an example, if you want your site to allow it to be embedded on the domain example.com you can replace X-Frame-Options
with the following header instead:
Content-Security-Policy: "frame-ancestors 'self' example.com"
Leave a Reply