How to Prevent Clickjacking in WordPress with X-Frame-Options

How to prevent clickjacking in WordPress

Step 1 – Access your WordPress website’s files.

Step 2 – Find your functions.php file and edit it.

I recommend having a child theme in place, otherwise, the changes will be gone with the next update.

If you’re going to access your files via FTP, you’ll normally find functions.php in public_html/wp-content/themes/YOURTHEMENAME-child/functions.php or public_html/YOURDOMAIN.COM/wp-content/themes/YOURTHEMENAME-child/functions.php for an add-on domain.

Step 3 – Add the following code right at the very bottom or right before ?>, if there’s any.

This code will now stop clickjacking in WordPress by preventing your website from loading in a frame.

Just add your website and press the Submit button.

As you can see, when I added my website, nothing appeared in the display area, which means that the code worked!

Preventing clickjacking via .htaccess – a more reliable method

Backup your file or the whole website first!

Step 1 – Access your website’s files.

Step 2 – Edit your .htaccess file, which you should normally find directly in the public_html folder or public_html/YOURDOMAIN.com/ if you’re using an add-on domain.

Those that use the Yoast SEO plugin – and all of you should, because it’s a must-have WordPress plugin – you can also edit the file by going to SEO -> Tools -> File Editor.

Step 3 – Add the following code right above the #BEGIN WordPress line:

Header always append X-Frame-Options SAMEORIGIN

You’ll need to have mod_headers enabled on your server for this to work. Talk to your web host to enable it, if it’s not.

That’s a wrap

Hope you found the tutorial comprehensive and useful!