Table of Contents 6 sections
What Is Clickjacking?
Clickjacking, also known as UI redressing, is an attack that tricks users into clicking something different from what they think they are clicking. The attacker loads your real website inside an invisible or disguised iframe and places it precisely over a decoy page. The victim interacts with the decoy, but every click passes through to the hidden layer, which is your site.
How Clickjacking Works
- The attacker builds a page with a tempting element, such as a button that says Play Video or Claim Prize.
- They load your site in an iframe on top of that page and set its opacity to zero, making it invisible.
- They align a sensitive control on your site, such as a confirm or delete button, directly over the decoy button.
- The victim clicks what looks like Play Video, but the click actually lands on the hidden control on your site.
- Because the victim is logged in, the browser sends their session cookies automatically, so the action runs with their authority.
What an Attacker Can Achieve
- Force a logged-in administrator to confirm a dangerous action while they believe they are doing something harmless.
- Trick a user into changing account settings, granting permissions, or publishing content.
- Approve a transaction or authorize a connected app on the victim's behalf.
- Harvest a like, follow, or share to inflate reach, a lighter form sometimes called likejacking.
Login does not protect you
Clickjacking specifically targets authenticated users. The victim's own session performs the hijacked action, so requiring login is not a defense on its own.
How to Prevent Clickjacking
The fix is straightforward: tell browsers never to render your site inside another site's frame. You do this with two headers.
1. X-Frame-Options
This older header is supported everywhere. Use SAMEORIGIN to allow framing only by your own domain, or DENY to forbid framing entirely.
X-Frame-Options: SAMEORIGIN
2. Content-Security-Policy frame-ancestors
This modern directive replaces X-Frame-Options and is more flexible. It lets you specify exactly which origins may frame your site.
Content-Security-Policy: frame-ancestors 'self'
Sending both headers gives you the widest browser coverage. Most security plugins and WordPress hardening tools can add them, or you can set them in your server configuration.
Clickjacking Protection Checklist
- Set X-Frame-Options to SAMEORIGIN or DENY across the whole site, including wp-admin.
- Add a Content-Security-Policy with a frame-ancestors directive.
- Only allow trusted origins if you genuinely need your site to be embedded elsewhere.
- Retest after any hosting or CDN change, since proxies sometimes strip security headers.
How to Detect Missing Framing Protection
Our WordPress Security Scanner checks whether your site sends X-Frame-Options and a Content-Security-Policy with frame-ancestors, and flags pages that can be framed by any origin. Run a free scan to confirm your site cannot be silently embedded and clickjacked.
FAQ
Frequently Asked Questions
Clickjacking, also called UI redressing, is an attack that loads your website inside an invisible or disguised iframe on a page the attacker controls. The victim thinks they are clicking something on the decoy page, but their click actually lands on a hidden element of your real site.
By hijacking clicks, an attacker can make a logged-in user unknowingly change settings, approve an action, publish content, delete data, or authorize a transaction. On a WordPress admin, a hidden click could confirm a dangerous action while the victim believes they are doing something else.
Send framing protection headers. Set X-Frame-Options to SAMEORIGIN or DENY, and add a Content-Security-Policy frame-ancestors directive. These tell browsers to refuse to render your site inside another site's frame, which defeats the attack.
X-Frame-Options is the older header supported by all browsers and offers DENY or SAMEORIGIN. The Content-Security-Policy frame-ancestors directive is the modern replacement that is more flexible and can allow specific trusted origins. Sending both gives the widest coverage.
Yes. Clickjacking targets users who are already logged in. Because the browser sends the victim's session cookies automatically to the framed site, the hijacked clicks are performed with the victim's own authenticated session.
Tags
Related Posts
Zero-Day Plugin Exploits on WordPress: Attacks Before a Patch Exists
A zero-day plugin exploit attacks a flaw before the developer has a fix. Learn what makes them dangerous and how to reduce your exposure to the unknown.
Cryptojacking on WordPress: When Hackers Mine Cryptocurrency With Your Resources
Cryptojacking hijacks your server or your visitors' browsers to mine cryptocurrency. Learn how to spot the signs, clean the infection, and prevent it.
Card Skimming and Magecart on WordPress: How Attackers Steal Payment Data at Checkout
Card skimming injects invisible code into your checkout to steal customer payment details. Learn how Magecart-style attacks hit WooCommerce and how to stop them.