Security Tips

Clickjacking on WordPress: How Invisible Frames Hijack Your Clicks

Clickjacking layers an invisible copy of your site over a decoy page so victims click things they never intended. Learn how it works and the one header that stops it.

WPSentry TeamJuly 16, 20263 min read
Table of Contents 6 sections

What Is Clickjacking?

Clickjacking, also known as UI redressing, is an attack that tricks users into clicking something different from what they think they are clicking. The attacker loads your real website inside an invisible or disguised iframe and places it precisely over a decoy page. The victim interacts with the decoy, but every click passes through to the hidden layer, which is your site.

How Clickjacking Works

  1. The attacker builds a page with a tempting element, such as a button that says Play Video or Claim Prize.
  2. They load your site in an iframe on top of that page and set its opacity to zero, making it invisible.
  3. They align a sensitive control on your site, such as a confirm or delete button, directly over the decoy button.
  4. The victim clicks what looks like Play Video, but the click actually lands on the hidden control on your site.
  5. Because the victim is logged in, the browser sends their session cookies automatically, so the action runs with their authority.

What an Attacker Can Achieve

  • Force a logged-in administrator to confirm a dangerous action while they believe they are doing something harmless.
  • Trick a user into changing account settings, granting permissions, or publishing content.
  • Approve a transaction or authorize a connected app on the victim's behalf.
  • Harvest a like, follow, or share to inflate reach, a lighter form sometimes called likejacking.

Login does not protect you

Clickjacking specifically targets authenticated users. The victim's own session performs the hijacked action, so requiring login is not a defense on its own.

How to Prevent Clickjacking

The fix is straightforward: tell browsers never to render your site inside another site's frame. You do this with two headers.

1. X-Frame-Options

This older header is supported everywhere. Use SAMEORIGIN to allow framing only by your own domain, or DENY to forbid framing entirely.

X-Frame-Options: SAMEORIGIN

2. Content-Security-Policy frame-ancestors

This modern directive replaces X-Frame-Options and is more flexible. It lets you specify exactly which origins may frame your site.

Content-Security-Policy: frame-ancestors 'self'

Sending both headers gives you the widest browser coverage. Most security plugins and WordPress hardening tools can add them, or you can set them in your server configuration.

Clickjacking Protection Checklist

  • Set X-Frame-Options to SAMEORIGIN or DENY across the whole site, including wp-admin.
  • Add a Content-Security-Policy with a frame-ancestors directive.
  • Only allow trusted origins if you genuinely need your site to be embedded elsewhere.
  • Retest after any hosting or CDN change, since proxies sometimes strip security headers.

How to Detect Missing Framing Protection

Our WordPress Security Scanner checks whether your site sends X-Frame-Options and a Content-Security-Policy with frame-ancestors, and flags pages that can be framed by any origin. Run a free scan to confirm your site cannot be silently embedded and clickjacked.

FAQ

Frequently Asked Questions

Clickjacking, also called UI redressing, is an attack that loads your website inside an invisible or disguised iframe on a page the attacker controls. The victim thinks they are clicking something on the decoy page, but their click actually lands on a hidden element of your real site.

By hijacking clicks, an attacker can make a logged-in user unknowingly change settings, approve an action, publish content, delete data, or authorize a transaction. On a WordPress admin, a hidden click could confirm a dangerous action while the victim believes they are doing something else.

Send framing protection headers. Set X-Frame-Options to SAMEORIGIN or DENY, and add a Content-Security-Policy frame-ancestors directive. These tell browsers to refuse to render your site inside another site's frame, which defeats the attack.

X-Frame-Options is the older header supported by all browsers and offers DENY or SAMEORIGIN. The Content-Security-Policy frame-ancestors directive is the modern replacement that is more flexible and can allow specific trusted origins. Sending both gives the widest coverage.

Yes. Clickjacking targets users who are already logged in. Because the browser sends the victim's session cookies automatically to the framed site, the hijacked clicks are performed with the victim's own authenticated session.

Tags

Related Posts