=== WP Anti-Clickjack === Contributors: someguy9 Donate link: https://www.buymeacoffee.com/someguy Tags: anti click jacking, security, Browser Frame Breaking Script, clickjacking Requires at least: 5.0.0 Tested up to: 6.9 Stable tag: 1.8.0 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Protect Your WordPress Site From Clickjacking Attacks by Adding the X-Frame-Options Header and Owasp's Legacy Browser Frame Breaking Script. == Description == WP Anti-Clickjack is a powerful security plugin that helps prevent your WordPress site from being vulnerable to clickjacking attacks. Clickjacking is a malicious technique where an attacker tricks users into clicking on a concealed link or button by overlaying it on your legitimate website. This plugin implements two key defense mechanisms: 1. **X-Frame-Options Header**: The plugin adds the `X-Frame-Options: SAMEORIGIN` HTTP header to your site's responses. This header instructs web browsers to prevent other websites from embedding your site within an iframe, effectively blocking clickjacking attempts. 2. **OWASP's Legacy Browser Frame Breaking Script**: The plugin includes a modified version of OWASP's legacy browser frame breaking script. This script prevents other sites from putting your site in an iframe, even in browsers that don't support the X-Frame-Options header. The script is optimized to work seamlessly in browsers with and without JavaScript enabled. By combining these two security measures, WP Anti-Clickjack provides comprehensive protection against clickjacking attacks, ensuring the safety and integrity of your WordPress site. For more information about clickjacking defense techniques, refer to the [OWASP Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html). = Features = - Adds the `X-Frame-Options: SAMEORIGIN` HTTP header to prevent clickjacking - Includes a modified version of OWASP's legacy browser frame breaking script - Compatible with popular page builders and editors like Elementor, Divi, WPBakery, Bricks, Breakdance, Oxygen, and more - Provides filters to disable the anti-clickjacking measures when needed - Easy to install and configure - Regularly updated and tested with the latest WordPress versions = Additional Details = If you need to disable the clickjacking JavaScript on a specific page, you can use the following filter in your theme's `functions.php` file: `add_filter('wp_anti_clickjack', '__return_false');` To disable the clickjacking X-Frame-Options HTTP header, use this filter in your theme's `functions.php` file: `add_filter('wp_anti_clickjack_x_frame_options_header', '__return_false');` == Installation == 1. Download the plugin from the WordPress.org repository or your WordPress admin dashboard. 2. Upload the plugin files to the `/wp-content/plugins/wp-anti-clickjack` directory, or install the plugin through the WordPress admin interface. 3. Activate the plugin through the 'Plugins' screen in your WordPress admin. 4. The plugin will automatically add the necessary anti-clickjacking measures to your site. == Frequently Asked Questions == = Does this plugin affect my site's performance? = No, WP Anti-Clickjack is designed to have minimal impact on your site's performance. The anti-clickjacking measures are applied efficiently without causing any significant overhead. = Is this plugin compatible with page builders and editors? = Yes, WP Anti-Clickjack is compatible with popular page builders and editors such as Elementor, Divi, WPBakery, Thrive Architect, and more. If you encounter any compatibility issues, please contact me for assistance. = Can I customize the anti-clickjacking behavior? = Yes, the plugin provides filters that allow you to disable the clickjacking JavaScript and the X-Frame-Options header when needed. You can use these filters in your theme's `functions.php` file to fine-tune the plugin's behavior. == Changelog == = 1.8.0 = * Tested up to WordPress 6.9 * Added support for Bricks Builder * Added support for Breakdance Builder * Added support for Oxygen Builder * Added support for Spectra / Starter Templates * Added support for Gutenberg Full Site Editor (FSE) * Fixed bug with referrer host comparison logic * Fixed PHP 8+ compatibility issue with parse_url() error handling * Fixed JavaScript cross-origin exception when framed by attacker sites * Removed deprecated language attribute from script tag = 1.7.9 = * Tested up to WordPress 6.5 = 1.7.8 = * Bug fixes for same origin requests = 1.7.7 = * Tested up to WordPress 6.3 * Bug fix for Elementor Pro site editor = 1.7.6 = * Tested up to WordPress 6.2 * PHP warning bug fix = 1.7.5 = * Added support for Avada builder = 1.7.4 = * Tested up to WordPress 6.1 = 1.7.3 = * Tested up to WordPress 6.0 * Bug fix when using the WP customizer and editing widgets = 1.7.2 = * Added support for Divi builder = 1.7.1 = * Tested up to WordPress 5.9 = 1.7.0 = * Added HTTP header X-Frame-Options: SAMEORIGIN to further prevent clickjacking = 1.6.5 = * Tested up to WordPress 5.8 = 1.6.4 = * Tested up to WordPress 5.7 = 1.6.3 = * Support for Cornerstone Page Builder = 1.6.2 = * Support for WPBakery Page Builder = 1.6.1 = * Tested up to WordPress 5.6 = 1.6.0 = * Added filter to disable the anti-clickjack script when needed * Tested up to WordPress 5.5 = 1.5.4 = * Increase WordPress supported version to 5.4 = 1.5.3 = * Increase WordPress supported version to 5.3 = 1.5.2 = * Bug fix for PHP warning = 1.5.1 = * Increase WordPress supported version to 5.2.2 = 1.5.0 = * Bug fix when updating plugins/themes * Support for Thrive editor = 1.4.0 = * Tested up to 4.8.9 and fixed conflicts with Elementor (if you are having an issue with a specific page builder please contact me) = 1.3.0 = * Tested up to 4.8.0 = 1.2.0 = * Tweaked to add anti-clickjacking script to the admin pages = 1.1.1 = * Tested up to 4.7.2 = 1.1 = * Bug fix causing Customizer.php to refresh constantly = 1.0 = * Initial Release