Does WP Ghost Protect Against Clickjacking?
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Yes. WP Ghost protects against clickjacking through the X-Frame-Options security header and the Content-Security-Policy frame-ancestors directive. When you enable security headers in WP Ghost, it sets X-Frame-Options to SAMEORIGIN, which prevents your pages from being embedded in iframes on external sites. This blocks the primary clickjacking attack vector.
What Is Clickjacking?
Clickjacking is an attack where a malicious site loads your page inside an invisible iframe and tricks visitors into clicking on elements they cannot see. For example, an attacker could overlay your WordPress login form or admin dashboard behind a fake page. When the visitor clicks what they think is a harmless button, they are actually clicking a button on your hidden page, like “Delete Account,” “Change Password,” or “Approve Transaction.” The visitor never sees your page, they only interact with the attacker’s overlay.
WordPress does not set X-Frame-Options by default, which means any page on a default WordPress installation can be embedded in an iframe on any other site. This leaves your login page, admin dashboard, and all front-end forms vulnerable to clickjacking.
How WP Ghost Prevents Clickjacking
WP Ghost adds two layers of clickjacking protection through its security headers feature.
X-Frame-Options: SAMEORIGIN. This header tells browsers to only allow your pages to be framed by pages on your own domain. External sites cannot embed your pages in iframes, which blocks clickjacking completely. If you need to prevent all framing entirely (including from your own site), you can set it to DENY instead.
Content-Security-Policy with frame-ancestors. The CSP frame-ancestors directive is the modern replacement for X-Frame-Options. WP Ghost lets you customize your CSP to include frame-ancestors 'none' (blocks all framing) or frame-ancestors 'self' (same as SAMEORIGIN). This directive is supported by all modern browsers and provides more granular control.
How to Enable Clickjacking Protection
Go to WP Ghost > Firewall > Header Security. Switch on Add Security Headers for XSS and Code Injection Attacks. Click Save. This enables all seven security headers at once, including X-Frame-Options set to SAMEORIGIN. You can verify the header is active by visiting SecurityHeaders.com and entering your domain. For the full header configuration guide, see the Security Headers tutorial.
If you use iframes on your own site (some page builders and admin panels require them), keep the setting at SAMEORIGIN. If you embed content from external domains using iframes (like PDFs or third-party widgets), you may need to adjust the X-Frame-Options setting. See the PDFs and Iframes Not Loading guide if you encounter issues.
Clickjacking Is Just One Layer
Security headers protect against browser-level attacks like clickjacking. WP Ghost’s hack-prevention approach covers multiple attack vectors beyond this: path security prevents bots from finding your WordPress structure, the 7G/8G firewall blocks injection attacks at the server level, brute force protection limits login attempts, and 2FA secures authentication. Clickjacking protection is one piece of a complete defense strategy. For the full feature overview, see What is WP Ghost.
Frequently Asked Questions
Will X-Frame-Options break my page builder?
Some page builders use iframes for their preview or editor mode. The SAMEORIGIN setting allows framing from your own domain, which covers most page builders. If a builder’s preview fails to load after enabling security headers, the builder is likely loading from a different domain or subdomain. Check the Security Headers troubleshooting section for solutions.
Is this a free feature?
Yes. All seven security headers, including X-Frame-Options for clickjacking protection, are included in the free version of WP Ghost.
How do I verify clickjacking protection is working?
Visit SecurityHeaders.com and enter your domain. It grades each security header. You should see a green mark next to X-Frame-Options. You can also check in your browser’s DevTools: open the Network tab, select any request to your domain, and look for the X-Frame-Options: SAMEORIGIN header in the response headers.
Does WP Ghost modify WordPress core files?
No. Security headers are added through server configuration files and PHP output. No WordPress core files are modified. Disabling security headers in WP Ghost removes them instantly.