Mitigate Clickjacking or UI redressing in a WordPress website involves implementing security measures to prevent attackers from embedding your site’s content into malicious iframes or manipulating the user interface.
Clickjacking or UI redressing, is an interface-based common cybersecurity attack. It is a malicious technique of tricking users into clicking on something different from what the user perceives, thus potentially revealing confidential information. It is like the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
How to test Clickjacking?
Create a test.html file on your desktop with following contents and access it through the browser.
Change the domain name in the below snippet
<html> <head></head> <body> <h1> WEBSITE IS VULNERABLE TO CLICKJACKING</h1> <iframe width=100% height=80% src="https://techglimpse.com"> </iframe> </body> </html>
If browser shows the website, then the website is vulnerable to clickjacking.
Another way is to visit clickjacker.io and verify with the domain name.
How to mitigate Clickjacking or UI Redressing in WordPress?
In most cases disallowing applications to load into iframes is sufficient to prevent the clickjacking attacks that leverage the web browser.
Add the below code to your wp-config.php. This allows the page to be rendered in the iframe if the iframe has the same origin as the page.
header('X-Content-Security-Policy: frame-ancestors https://*.techglimpse.com');
header('Content-Security-Policy: frame-ancestors https://*.techglimpse.com');
header('X-Frame-Options: SAMEORIGIN');Verify to see that the website cannot be embedded in an iframe.
Also, verify with clickjacker.io
Find here more ways to prevent clickjacking
