Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » WordPress

Disabling WordPress X-FRAME-OPTIONS Support

Submitted by on May 30, 2011 – 3:37 pm 12 Comments

Starting with version 3.1.3, WordPress introduced X-FRAME-OPTIONS support for the admin and login pages. This is a simple defensive measure against sneaky characters trying to encapsulate your blog within their own Web sites using iframes. So this new security was a welcome addition to WP for most users. I was not one of those users.

I have a simple dynamic HTML page that allows me to control all my WP installations from a single interface using iframes. Once I updated my WP installations to v. 3.1.3, my DHTML gadget stopped working. I am all for security enhancements, just don’t force them on me, or at least give me an option to easily disable any new features I did not ask for.

If you need to disable X-FRAME-OPTIONS support on your WP 3.1.3 or later, it is fairly easy to do. Open “./wp-includes/default-filters.php” and comment out the two lines containing the “send_frame_options_header” string. To simplify and automate this operation, use the following simple script (you may even add to cron to make this change automatic whenever you upgrade your WP). You will need to make sure to substitute the correct path for your WP installation.

#!/bin/bash
#
# Disable WP support for X-FRAME-OPTIONS feature that prevents WP from loading
# Login and Admin pages inside iFrames.
#
FILE="${HOME}/public_html/wp-includes/default-filters.php"
if [ -w "${FILE}" ]
then
        if [ `grep -c "send_frame_options_header" "${FILE}"` -gt 0 ]
        then
                grep -v "send_frame_options_header" "${FILE}" > "${HOME}/default-filters.tmp"
                mv "${HOME}/default-filters.tmp" "${FILE}"
                chmod 644 "${FILE}"
        fi
fi
Print Friendly, PDF & Email

12 Comments »

  • Joe says:

    Thanks alot – this really helped me!

  • Glad I found this post. I didn’t need to edit any files. I just added code to my plugin header(‘X-Frame-Options: GOFORIT’);.

  • Bart says:

    THANKS! I normally don’t respond to internet posts but wanted to thank you for making my day. I spent hours looking for a solution to my problem and found it, thanks to you.

  • Christine says:

    I would avoid solutions that hack core. You’ll have to put it back every time you update, and you’re more likely to create conflicts with plugins you are using.

    And in this case, it’s unnecessary. You can remove any of the filters or actions in core with the remove_action() or remove_filter() functions.

    This is what you should put in your functions.php:


    remove_action( 'admin_init', 'send_frame_options_header', 10, 0 );
    remove_action( 'login_init', 'send_frame_options_header', 10, 0 );

    Since you are removing a security measure, I would recommend putting in additional conditionals so it only runs on pages that you need to display via an iframe, rather than removing it from all admin pages.

  • HASTHEANSWERS says:

    For example, the frequent use of “WP:CIVIL” as a weapon against other users.

  • Christopher J says:

    I have a WP blog on wich I want to post news and videos. Both will be post on the front page. But I also made seperate pages for new and videos, can I repost the written and video content on these pages aswell as on the main page? Will it affect Google’s view of my site at all?

    Also, contrary to the home page, wich is a blog, ‘Video’ and ‘News’ are both static pages, can I turn them into blogs?

  • Alex says:

    Hello, I was wondering about creating themes for wordpress. The 2 issues i have with it right now is:

    1. I never created a WP theme before, though i am interested in creating one but i don’t any programming. But i have heard of theme generators that enable to create themes whatever you may know programming or new to creating WP themes. I would like to know should i use a theme generator if i’m starting out on WP.

    2. When i create a theme from a WP theme generator, i’m little worried that i would be creating the theme for myself rather make it usable to others that may want to use for their site. I was wondering if i sell them WP themes using theme generators, if i do so, understand that i am confused on just making themes for me since i’m selling them or making them for people to use.

    If anyone have answers to my questions, would be greatly appericated.

  • Marlon P says:

    My WP ultra simple Paypal cart is set up on my website but will only accept items from one add to cart button. If a second item from a different button is chosen it overrides the current choice rather than adding it to the cart. Can anyone help?

  • Ray D says:

    Im using WordPress on my site with buddypress, and i want to block the /wp-admin page from the public. I ant the only way for people to get to the dashboard is to log in and do so. I want a not found page to be shown when anyone types is “http://mysite.com/wp-admin”
    Mike, it would be nice if you told me what code. Instead of just the general overview. Im smart enough to code on my own. So im not going to pay you either.

  • Ty says:

    Ty, helped me.

Leave a Reply to Marlon P Cancel reply

%d bloggers like this: