WordPress Frames Hack

For security reasons, by default, in the later versions of WordPress – (not sure which version this started with) – you cannot load a WordPress site within a frameset of another page.

This prevents people with malicious intent, from hi-jacking your site inside a frame within their own site, and possibly stealing information from within your installation. A most sensible precaution.

However, there are times where you may in fact want to do this yourself.

If you must do it – and please, only do it if you really know what you are doing, because you may open up a security hole in your site – it is as simple as changing a single line of code.

Inside the “wp-includes” folder within your WordPress installation, edit the “default-filters.php” file, and remove – (or comment out) – the following line:

add_action( 'login_init', 'send_frame_options_header', 10, 0 );

This line should be at or around line 225.

That’s it. Done.

Your WordPress installation should now load inside a frame.

  • Anonymous

    Interesting, in the past I’ve used php’s include and a div

    • Yeah – deleting the line stops the PHP being delivered with a header that tells browsers not to allow it in a frame.