Leave a Reply

1 comment

  1. Since version 3.4 (or earlier?) WordPress sends a special HTTP header (not in HTML) on login and admin pages:

    X-Frame-Options: SAMEORIGIN
    

    enter image description here

    So your browser will show you some text built into the browser, not sent from WordPress.

    From wp-includes/default-filters.php:

    add_action( 'login_init', 'send_frame_options_header', 10, 0 );
    add_action( 'admin_init', 'send_frame_options_header', 10, 0 );
    

    You could create a plugin and disable these headers:

    remove_action( 'login_init', 'send_frame_options_header' );
    remove_action( 'admin_init', 'send_frame_options_header' );
    

    But then your login can be used for clickjacking. Someone might register a domain with a very similar name, embed your login as background iframe and log the login credentials when you try to type them in.

    That’s not fictional. It actually happened, that’s why WordPress implemented this.

    Drop the iframe. Try to find a better solution.