Understanding Clickjacking Attacks

Clickjacking, also known as UI Redressing, is a malicious technique where an attacker tricks a user into clicking a button or link on another webpage when they intended to click the top-level page. This is accomplished by rendering your legitimate WordPress site inside an invisible HTML iframe overlaid directly on top of an enticing external website (such as a fake prize-winning game or lottery page).

The Risk to WordPress Admins

If a logged-in administrator visits a malicious site, they might see a button that says "Click here to win a prize." Unknown to them, the attacker has aligned an invisible iframe of the WordPress admin panel directly over that button, specifically positioning the "Delete Site" or "Add New User" confirmation option. When the admin clicks, they are executing an administrative command on their own site, authorized by their active browser session.

Implementing Anti-Clickjacking Headers

Defending against UI redressing involves instructing the browser never to load your site within unauthorized frames:

  • Deploy the X-Frame-Options Header: Configure your web server to send the X-Frame-Options: SAMEORIGIN HTTP response header. This instructs modern browsers to only render your site inside an iframe if the framing site matches your exact domain.

  • Use Content Security Policy (CSP): Implement a modern CSP header containing the frame-ancestors 'self' directive. This provides a more robust and granular defense mechanism than legacy headers, completely blocking external domains from embedding your pages.

  • Keep WordPress Core Updated: WordPress natively includes frame-breaking scripts and headers on core backend administrative screens, but ensuring global server-wide header enforcement provides complete protection.