Yes, WP Ghost protects your WordPress site from clickjacking through security headers. Specifically, the X-Frame-Options header and the Content-Security-Policy (CSP) frame-ancestors directive tell browsers not to load your site inside an iframe on other domains. This blocks the exact technique clickjacking relies on, where an attacker embeds your login or checkout page invisibly on their site and tricks users into clicking hidden buttons. Turn the protection on at WP Ghost > Firewall > Header Security with a single toggle.
What Clickjacking Is, Briefly
Clickjacking is a browser-side attack. A malicious site loads your real website inside an invisible iframe, layers fake buttons on top, and waits for a logged-in visitor to click what they think is a harmless link. In reality, the click passes through to your real site and performs an action the user never intended, such as changing account settings, approving a transaction, or submitting a form. The attack does not need your site to be hacked first, it only needs your site to be loadable inside an iframe on a different domain. The fix is to tell browsers that your site may never be framed by anyone except you, which is exactly what security headers do.
How WP Ghost Prevents Clickjacking
WP Ghost adds two layers of clickjacking protection through the Header Security feature:
X-Frame-Options header. WP Ghost sets this to SAMEORIGIN by default, which tells browsers your pages can only be framed by your own domain, not by any third-party site. If an attacker tries to load your site in an iframe on their domain, the browser refuses. You can also set it to DENY for the strictest setting, which blocks framing entirely, including by your own pages. Full reference in the Header Security guide.
Content-Security-Policy with frame-ancestors. CSP is the modern replacement for X-Frame-Options and offers finer control. The frame-ancestors directive specifies exactly which domains (if any) may frame your pages. Setting it to 'none' prevents all framing, which is ideal for admin areas and checkout pages. WP Ghost lets you customize the full CSP policy at WP Ghost > Firewall > Header Security. Details in the Content Security Policy guide.
How to Enable Clickjacking Protection
Step 1. Open Header Security
Go to WP Ghost > Firewall > Header Security in your WordPress dashboard.
Step 2. Enable Security Headers
Switch on Add Security Headers for XSS and Code Injection Attacks. This activates X-Frame-Options along with six other security headers (HSTS, CSP, X-XSS-Protection, X-Content-Type-Options, COEP, COOP). Click Save.
Step 3. Verify with SecurityHeaders.com
Visit securityheaders.com, enter your domain, and run the scan. You should see a green X-Frame-Options entry and, if you customized CSP, a green Content-Security-Policy entry with frame-ancestors listed. If either shows red or missing, re-check your header settings and clear your cache.
X-Frame-Options Settings at a Glance
| Setting | Effect | Best For |
|---|---|---|
| DENY | No site can frame your pages, not even your own | Sites that never need iframes |
| SAMEORIGIN | Only your own domain can frame your pages | Most sites (default and recommended) |
| Not set | Any site can frame your pages | Not recommended, vulnerable to clickjacking |
Why Clickjacking Prevention Fits the WP Ghost Approach
WP Ghost is built on proactive hack prevention, stopping attacks before they succeed, rather than cleaning up after a breach. Clickjacking is a perfect example: it exploits a browser default (any site can frame any other site) that has no legitimate reason to apply to a WordPress admin or checkout page. Setting the right headers once closes the door permanently, with no ongoing maintenance. Clickjacking protection is one of the 115+ free features WP Ghost includes alongside path security, the 8G firewall, brute force protection, 2FA, and the full security headers suite.
Frequently Asked Questions
Do I need to do anything beyond enabling headers?
For most sites, no. The default SAMEORIGIN setting blocks cross-origin framing, which is what clickjacking needs. If your site requires stricter protection (for example a banking or payments page that should never be framed at all), change X-Frame-Options to DENY or set CSP’s frame-ancestors to 'none'.
Will this break my page builder or embedded content?
Sometimes. Page builders that use iframes for preview (like Elementor’s edit mode) can conflict with DENY but work fine with SAMEORIGIN. Embedded content from third-party domains (YouTube, Vimeo, Stripe checkout) is not affected because those iframes are on your page, not your page framed elsewhere. If something breaks, see PDFs and iframes not loading in the frontend.
Is X-Frame-Options still needed if I use CSP?
Both are worth having. Modern browsers prefer CSP’s frame-ancestors, but older browsers that do not support CSP still rely on X-Frame-Options. WP Ghost sets both by default for maximum compatibility across browser versions.
How do I test if my site is vulnerable to clickjacking?
Run your domain through securityheaders.com and look at the X-Frame-Options and Content-Security-Policy rows. A green grade on both means framing is properly restricted. You can also open your browser DevTools (F12), load your site, check the Network tab, select the main request, and look at the Response Headers for X-Frame-Options and Content-Security-Policy.
Does clickjacking protection affect SEO?
No. Security headers are a few bytes added to each HTTP response. They have zero impact on page load time, rendering, or search rankings. Google Lighthouse actually checks for them in its security audit, so proper headers can slightly improve your site’s overall technical score.
Does WP Ghost modify WordPress core files?
No. Security headers, including clickjacking protection, are added through server configuration and PHP output buffering. No core files are moved, renamed, or edited. Disabling Header Security in WP Ghost removes all headers instantly.