Stop Clickjacking by preventing your WordPress site loading in a Frame

Clickjacking code snippet (Cropped)
Standard

Clickjacking is a potential security risk caused by someone loading your website in a frame on their domain, and hijacking interactions you make with that site.

For example if your website requires a user to login, it could log the username and passwords of users targeted by the clickjacking attack.

Fortunately preventing clickjacking in WordPress is fairly straightforward. You can just add this little snippet of code in your functions file to set the X-FRAME-OPTIONS header to SAMEORIGIN.

This will send a header along with WordPress that tells browsers to prevent pages showing up in frames that not on the same domain as your website.

Clickjacking and Older Browsers

Older browsers (browsers older than Internet Explorer 8 (IE8)) don’t understand the X-FRAME-OPTIONS header, so we have to fallback to JavaScript like in the example below:

Of course we only want to enqueue the above script to load for browsers older than IE8, so we can use a good old conditional statement to do this:

Stop Clickjacking within your WordPress Project

Want to stop clickjacking in your WordPress project, along with a whole host of additional features? Why not checkout the Kapow! WordPress Boilerplate by Make Do? It is fully modular, and the clickjacking snippet comes as part of the Kapow Core part of the framework (the clickjacking prevention code can be found in the GitHub repo).

Kapow! Logo

Kapow!

Kapow! can be used to provided a full VVV powered development workflow, but feel free to use just the parts that you need. If you need support in using the framework just get in touch.

Matt Watson

Technical Lead at Make Do
Matt Watson is the co-founder and technical lead of WordPress agency Make Do. Matt loves writing and learning about code, and considers himself lucky to be doing what he loves for a living. Find out more about Matt, or get in touch to hire Matt for your project.

Leave a Reply