Does wordfence stop clickjacking

  • Resolved one3rdnerd

    (@one3rdnerd)


    3 years, 2 months ago

    A client of mine recently had an email from an ethical hacker pointing out that

    1) Clickjacking was possible due to a lack of X-Frame-Options settings.

    Looking this up on Google along with Wordfence didn’t seem to show anything so:

    a) Does Wordfence protect against this in the free or pro versions?
    b) Is this even a worry? Perhaps Wordfence doesn’t deem it necessary?

    2) They also mentioned about DMARC settings not being set in the DNS, obviously this is beyond the scope of Wordfence but thought I’d ask in case any security pros can weigh in on that too.

    I did some tests on several other websites and found that none of the sites had either of the above covered which led me to wonder if this is more scaremongering than anything?

    Thanks in advance.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @one3rdnerd and thanks for reaching out to us!

    I have seen these emails in the past and as you mentioned, they are a type of scaremongering attempt for you to hire their services.

    The Clickjacking that he might be mentioned can be addressed. X-Frame-Options (which also addresses iframe security), can be restricted so that your site cannot be included within an iframe on another site. The insecure iframe mentioned may be because the site included in the iframe on your site isn’t loaded over HTTPS. You can rectify this in the code for your page by adding the “S” if the site in question has a security certificate.

    <IfModule mod_headers.c>
    Header set x-frame-options SAMEORIGIN
</IfModule>

    As for the DMARC, you might want to reach out to your host about that information as it can differ from host to host.

    I hope this helps!

    Thanks again!

    Thread Starter one3rdnerd

    (@one3rdnerd)

    Thank you Adam, that was all very useful. I will mark this as closed and try these two options.

    I did think the email was overselling it and using a scaremongering tactic but it’s always good to get a professional opinion.

    I appreciate you.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Does wordfence stop clickjacking’ is closed to new replies.