Secure WordPress with X-Frame-Options & HTTPOnly Cookie

Protect WordPress website from XSS, Clickjacking Attacks

Securing your site is essential for your online business
presence. Over the weekend, I did a security scan on my
WordPress website through
Acunetix and Netsparker and found following

  • Missing X-Frame-Options Header
  • Cookie Not Marked as HttpOnly
  • Cookie without Secure flag set

If you are on dedicated or VPS hosting, then you can directly inject these
headers in Apache
or Nginx to
mitigate it. However, to do this directly in WordPress – you
can do the following.

Are you wondering why to fix them? Well, here is a quick
explanation of the solution.

A quick note on implementation verification: You can either use
HTTP Header Checker online
tool or F12 on your web browser to verify the response headers.

Implement X-Frame-Options Header in WordPress

Having this injected in Header will prevent Clickjacking attacks. Below was discovered
Netsparker .



Option 1

  • Go to the path where WordPress is installed. If you are on
    shared hosting , you can
    log into cPanel >> File Manager
  • Take a backup of wp-config.php
  • Edit the file and add the following line
header('X-Frame-Options: SAMEORIGIN');
  • Save and refresh your website to verify.

Option 2

Use WP no-iFrames (Content
Protection) plugin. easy peasy!

Implement Cookie with HTTPOnly and Secure flag in WordPress

Having Cookie with HTTPOnly instructs the browser to trust the
cookie only by the server, which adds a layer of protection
against XSS attacks.


Secure flag in cookie instructs browser that cookie is
accessible over secure SSL channels, which add a layer of
protection for session cookie.


Note: This would work on HTTPS website. If you
are still on HTTP, then you may consider switching to HTTPS for
better security .

Solution: –

  • Take a backup of wp-config.php
  • Edit the file and add the following line
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

Save the file and refresh your website to verify.

If you don’t like to hack the code then alternatively, you can
use Shield plugin which will
help you to block iFrames & and protect from XSS attacks.

Once you install the plugin, go to HTTP headers and enable


I hope above helps you in mitigating WordPress vulnerabilities.

If you can looking for continuous WordPress security, then
SUCURI will be very helpful.


Leave a Reply

%d bloggers like this: