How to Remove X-Frame-Options SAMEORIGIN from WordPress.

By Kevin DeesWordPress, PHP, Servers, Web
photo of brown wood slab

You can remove the HTTP header X-Frame-Options: SAMEORIGIN from WordPress by removing the send_frame_options_header function from the admin_init and login_init hooks. For example, you can add the following to your theme’s functions.php file:

// WordPress Core
remove_action('admin_init', 'send_frame_options_header');
remove_action('login_init', 'send_frame_options_header');

// Just in case
remove_action('init', 'send_frame_options_header');

As seen in the code example, you should also use remove_action for the init hook just in case a plugin or a host’s mu-plugin has added the X-Frame-Options: SAMEORIGIN header using the hook (init is a possible go-to hook for plugin developers).

If, after adding this code to your WordPress site, the X-Frame-Options header is still present, it could be that:

  • A plugin is still adding the header to your site, and you need to search the codebase for the culprit.
  • Your web server, such as Nginx or Apache, is adding the header outside of WordPress, and you need to edit your web server configuration as well.

Dare To Code

icon send thick Get the tips, links, and tricks on full-stack PHP development in your inbox with monthly emails from Kevin Dees.

Name(Required)
This field is for validation purposes and should be left unchanged.

Security Concerns

If you are not 100% sure you should remove the X-Frame-Options: SAMEORIGIN header, do not remove it. The header adds a layer of security to your website that should not be removed unless you are replacing it with an alternative like the Content-Security-Policy header.

Why Is This Header Added To WordPress?

To prevent malicious websites from embedding your website as an iframe. Hackers can use iframe embeds to spy on your users or even break into an account when a site is not properly secured. The X-Frame-Options: SAMEORIGIN keeps another web domain from embedding your website as an iframe.

However, there are times you might want to embed your WordPress site within another domain you control. Outright removing the X-Frame-Options header allows your site to be embedded on any domain, but this is not safe.

To maintain some level of security, if you plan to embed your WordPress site as an iframe on another domain you control or trust, when you remove the X-Frame-Options header, include the header Content-Security-Policy instead.

As an example, if you want your site to allow it to be embedded on the domain example.com you can replace X-Frame-Options with the following header instead:

Content-Security-Policy: "frame-ancestors 'self' example.com"

By Kevin Dees

Kevin Dees is a speaker, entrepreneur, blogger, and developer. He’s best known for his work in WordPress and podcasting for the retired SitePoint show. Kevin has developed sites for the brands Verizon, Denny’s, RIDGID, Michelin, and others. Currently, he is working on TypeRocket which powers over 10,000 professional websites and products internationally.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.