Clickjacking is a malicious web exploit that has been around since the first websites made their way to the Internet. Clickjackers exploit methods for embedding one webpage inside another. Combined with deceptive social engineering, clickjacking attacks maintain a ridiculously high success rate, targeting millions of unsuspecting victims daily.
As the most popular website-building framework in the world, WordPress is a large target for clickjacking. By default, only the WordPress login page and admin area can’t be embedded into another web page. If there are other parts of your site you don’t want to be embedded elsewhere, you have to take action to protect them yourself.
This guide to clickjacking, or user interface redressing attacks, will show you how clickjacking works so you can ensure your WordPress website’s content can’t be used by attackers to steal sensitive information or trick users into doing something that harms them and/or helps the clickjacker.
What is Clickjacking?
As the name suggests, clickjacking hijacks clicks and other web interface actions. It allows the clickjacker to perform an action for their own purposes on behalf of their unsuspecting victims.
The technical name for clickjacking is “interface redressing.” Clickjackers “re-dress” a legitimate web page by embedding it in their own websites, where their own code can stealthily modify what happens when visitors interact with it. This is achieved by embedding legitimate content, such as a login page or a payment screen from a legitimate website or service, on a malicious web page created by the criminal. Visitors can click on a seemingly harmless button, enter some information into a text box, or even perform a drag-and-drop element. They don’t see a hidden interface that performs a different, unexpected action that benefits the attacker.
By disguising their site with your content, clickjackers hope to trick their site visitors into performing otherwise unwanted actions, such as giving away sensitive information or downloading malware.
How Does Clickjacking Work?
Clickjacking attacks take advantage of HTML’s ability to load a webpage from one website within another site’s pages by using the
Most of the time, user interface redressing attacks rely on the user being logged into a certain website and believing they are on that site when they are interacting with the clickjackers’ “re-dressed” site. This way, the person lured to the malicious web page may perform certain actions the clickjacker wants without realizing they’re not interacting with their bank or a familiar WordPress site.
Five Main Types of Clickjacking
There are quite a few types of clickjacking strategies depending on the attacker’s end goal. They can range from relatively harmless activities (boosting views for their content sites or gaining likes on a post or video) to stealing login information or even money from an unsuspecting victim.
Clickjacking is a highly versatile way of conducting a wide range of malicious activities. Although clickjacking is considered a form of cyber attack, it may also facilitate other attacks, such as XSS, or cross-site scripting, attacks, and even use XSS payloads to facilitate XSRF or cross-site request forgery attacks.
Here are the five most common types of clickjacking attacks:
- Classic Clickjacking. Involves choosing a victim website or service and using its content to trick its users to perform a number of unwanted actions.
- Likejacking. The old variation of clickjacking aimed at boosting views and likes on a certain web page or video. Can be considered rather harmless and is rarely seen these days.
- Cursorjacking. A technique used by the attacker to replace the actual cursor with a fake one in order to trick the user into clicking on the malicious element without realizing it.
- Cookiejacking. A common tactic attackers use is to obtain cookies stored by the victim’s browser. Most of the time, it is performed by the user invited to perform a seemingly harmless drag-and-drop operation on the attacker’s web page.
- Filejacking. An attack exploits the browser’s ability to open files on the user’s device, allowing the attacker to access their local file system. In addition to the local file system, the attacker can access the microphone on your device or your location.
Victims of Clickjacking: From Social Media Platforms to Online Payment Systems
Clickjacking got especially popular around ten years ago when major social media platforms such as Facebook and Twitter fell victim to different variations of clickjacking. For example, a clickjacking attack performed in the late 2000s allowed the attackers to trick the victim into sending spam to their entire Facebook friend list in just one click.
The increasing popularity of user interface redressing in the last decade led tech giants to swiftly take appropriate steps to protect their platforms against this type of attack. However, security researchers keep reporting more vulnerabilities affecting large organizations, even today.
One of the most prominent vulnerabilities discovered recently was affecting Paypal. In 2021, threat researchers stumbled upon a vulnerability in Paypal’s money transfer service that could potentially allow attackers to steal money from users’ accounts by exploiting one-click fund transfers. Paypal awarded the researcher and announced plans to address the situation.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
The Perfect Trap: Setting up a Clickjacking Attack
Any clickjacking attack involves three main steps: choosing the target or victim website, creating a malicious web page, and luring the targeted site or service’s customers to it.
Step 1. Choosing the Target Website
Since the vast majority of large organizations enforce strong security measures that prevent attackers from performing clickjacking attacks against their customers, hackers often target smaller businesses. WordPress websites are especially attractive to criminals as the software does not enforce any default security measures preventing WordPress content from being embedded in the attacker’s website.
The WordPress login page and the admin dashboard do serve as exceptions, but the responsibility for protecting the rest of the site falls to the website owner. The next time you wonder why a hacker would attack your website, the answer is simple — it’s easy and convenient for a hacker to target you, especially if you’re not keeping your WordPress software updated. Thanks to the many vulnerabilities always emerging in WordPress plugins and themes, it’s essential to make good choices about what to install. And then keep all the software updated Otherwise, you are making yourself an easy target.
Depending on the type of WordPress website you operate and the content you publish, an attacker can target different parts of it. WordPress clickjacking often targets web forms, login pages outside the WordPress admin, and WooCommerce checkout pages with one-click checkout enabled.
Get the bonus content: Hacked Website Cleanup Checklist
Step 2. Creating a Malicious Web Page
Once the target website is chosen and found vulnerable to clickjacking, the attacker creates a malicious web page to trick users into performing a certain action. WordPress clickjacking is likely to target ecommerce functionality, but stealing credentials and sending spam remains a common goal set by attackers.
A good example of clickjacking is a page claiming you have won a prize and inviting you to claim it. By clicking on the “Claim my prize” button, you are actually giving away personal information or confirming a purchase or a money transfer.
Step 3. Luring the Target Website’s Users Into the Trap
For a clickjacking attack to succeed, the attacker must make users open their malicious web page and believe it is part of a legitimate, familiar site. This can be achieved in many ways, possibly by sending a link to it in an email or redirecting a user from an infected third-party website that the attacker previously hacked into.
If you don’t click links in unusual, unexpected, or suspicious emails, texts, or chats, the likelihood of a clickjacking attempt succeeding is very low, even if the attacker’s malicious web page looks perfectly legitimate and doesn’t raise your suspicion. Modern browsers also employ a wide range of protections against clickjacking, and the combination of your vigilance and current browser technology can significantly reduce the success rate of any UI redressing attacks.
How Not to Fall Victim to Clickjacking
To protect yourself from all types of clickjacking, avoid opening suspicious emails, advertisements, and links to websites. Never install software from unverified sources. Since clickjacking relies on deceptive social engineering practices, learning how to spot them is your best defense. Beyond that, you should keep all your browsers and operating systems updated to their latest versions. You can also install robust browser security extensions and use modern antivirus software to ensure you do not fall victim to clickjacking and other dangerous cyberattacks.
Be Suspicious of Invitations to Click a Link
Clickjackers often send links to potential victims by email, SMS, and messaging apps. If you’ve done nothing to request or trigger such a message, look at its origin. Clickjackers will often send messages from domains, subdomains, and account names that are similar to a legitimate site, like Paypal. See if you can detect the small differences that make these suspicious senders:
- [email protected]
In the first case, “paypal” is a subdomain anyone can attach to a primary top-level domain, which is “app1.com” in this case. That’s not Paypal.
In the second case, the lowercase ‘l’ has been replaced with an uppercase ‘I’, which is identical in many common fonts. Clickjackers have often registered slightly misspelled domains like these to trick people into believing they are from a legitimate sender.
You can also look at email headers to see a message’s origin. Familiarize yourself with the domains and email addresses used by your financial institutions and other important accounts. They will also have a policy outlining how they will or will not contact you and how they will identify themselves. Don’t trust any communications that fall outside these parameters. Better to be safe than sorry!
Install Anti-Clickjacking Browser Extensions
In addition to the built-in security features of your browser, anti-clickjacking browser extensions can give you a higher level of protection against clickjacking and cross-site scripting attacks. NoScript is the most popular cross-browser extension supported by Google Chrome, Mozilla Firefox, and Microsoft Edge. JS Blocker is a great alternative to NoScript for Safari users.
Three Steps to Protect Your WordPress Website Against Clickjacking
WordPress protects the admin dashboard and its login page from clickjacking by default, but all other areas of your website need additional protection. The number of attacks that can be performed against most websites today makes security the highest priority for site owners.
Fortunately, there are many ways to protect yourself against WordPress clickjacking. , You should combine several approaches to ensure they are supported by all browsers. Moreover, a combination of security measures will help ensure your website’s content is protected from all types of malicious activities UI redressing attacks can facilitate.
There are three big steps you can take to secure your WordPress website against clickjacking:
- Set up the X-Frame-Options header to stop anyone from loading your website content in frames on untrusted third-party resources.
- Configure the Content Security Policy (CSP) frame-ancestors directive to specify what websites can embed your website’s pages in frames. (Normally, this can be set to “none.”)
- Use the SameSite cookie attribute of the Set-Cookie header to defend against both clickjacking and cross-site request forgery (CSRF) attempts.
Using .htaccess to Configure HTTP Response Headers for WordPress
Response headers are HTTP headers used to define specific variables for the client-server communication between your site and its visitors’ browsers. They are invisible to your visitors. X-Frame-Options, Content Security Policy, and Set-Cookie are all examples of HTTP response headers.
Although certain WordPress plugins can be used to configure HTTP response headers on a WordPress website, the easiest approach is to use your local .htaccess file. (This assumes your server environment uses Apache or Litespeed to serve HTTP requests.) The header configuration specified in the .htaccess file in the website’s root directory is applied to all pages on the website.
The mod_headers Apache module allows you to configure response headers in .htaccess using the Header set and Header append statements. As certain headers can be configured in the web server’s global configuration, it’s sometimes recommended to use Header append to merge the configured value onto an existing response header instead of replacing the existing configuration.
As your hosting provider can configure certain HTTP response headers for all websites by default, it’s best to contact them before making any changes to .htaccess to avoid any issues.
Set up X-Frame-Options Header
The X-Frame-Options header defines whether a web page can be rendered in a frame and a list of resources allowed to do it. There are two directives for X-Frame-Options – DENY and SAMEORIGIN. The ALLOW-FROM directive that was previously used is now deprecated.
The DENY value effectively prevents any website from embedding your website’s content in frames. Setting X-Frame-Options to SAMEORIGIN allows content framing if the request is coming from other pages of your website.
To configure the X-Frame-Options header on your WordPress website, add one of the following lines to the .htaccess file in the WordPress installation directory. (Please note the set option is used.)
Header set X-Frame-Options "DENY"
Header set X-Frame-Options "SAMEORIGIN"
Although modern browsers only include partial support for X-Frame-Options or even deprecate it in favor of the CSP frame-ancestors directive, configuring it on your WordPress website will protect older browsers.
Configure Content Security Policy Frame-Ancestors Directive
The Content Security Policy response header is a powerful security measure that can help mitigate a number of attacks, including clickjacking, cross-site scripting, request forgery, packet sniffing, and data injection attacks. Content Security Policy is supported by all modern browsers.
The frame-ancestors directive of the Content Security Policy can be set to none or self to deny content framing or limit its usage to the confines of the same website, or you can specify the list of trusted websites, along with the list of content types each can frame.
Adding the line below to .htaccess will restrict framing all types of content to the current website:
Header set Content-Security-Policy "frame-ancestors ‘self’”
The following variation requires HTTPS to be used:
Header set Content-Security-Policy “frame-ancestors 'self' https://mywpsite.com"
Add the Set-Cookie Header With the SameSite Attribute
The Set-Cookie response header is used to transfer a cookie from the server to the browser. Configuring the SameSite attribute allows you to restrict the usage of cookies to the current website. This helps ensure protection against clickjacking attacks that require a user to be authenticated on the targeted website and cross-site request forgery.
Setting SameSite to strict effectively prevents session cookies from being sent if a request is made to a targeted website within a frame, even if a user is authenticated on the targeted resource. Please note that measure alone cannot mitigate all types of clickjacking and cross-script forgery attacks.
To implement the SameSite attribute of the Set Cookie header on your WordPress site, add the following line to the .htaccess file:
Header set Set-Cookie ^(.*)$ "$1; SameSite=Strict; Secure
Simple Clickjacking Test
You can check whether your website’s content can be loaded in frames from another resource by creating a simple HTML page. Create an HTML file with the code below provided by OWASP and open it in your browser. If you do not see the embedded web page in the frame, content framing has successfully been restricted
Please note that it’s best to upload a page to another website you own unless you have disabled content framing entirely. In that case, you can create one of the same websites you are testing.
<html> <head> <title>Clickjacking Test</title> </head> <body> <iframe src="https://mywpsite.com/some-page" width="500" height="500"></iframe> </body> </html>
Prevent Clickjacking and Other Cyberattacks on Your WordPress Site with iThemes Security Pro
Clickjacking, also known as user interface redressing, exploits the ability to load a web page within another web page in order to trick users into performing otherwise unwanted actions. WordPress Clickjacking has become very common due to the lack of built-in protections that would secure web pages other than the WordPress login page and admin dashboard.
Defend yourself against clickjacking by restricting others’ ability to frame your website’s content using HTTP response headers such as X-FRAME-OPTIONS, Content Security Policy, and Set-Cookie. Using a local .htaccess file in your WordPress installation directory, you can easily apply these security policies sitewide.
Clickjacking remains an active security threat, and cross-site scripting coupled with request forgery often goes hand-in-hand with it. Start protecting yourself against common security threats like these by taking a mindful approach to all aspects of your WordPress website security.
iThemes Security Pro offers more than 30 ways of protecting the most vulnerable areas of your WordPress site, defending it from a wide range of modern, sophisticated tactics malicious actors employ. Powerful vulnerability scanning, passwordless authentication, and file integrity monitoring allow you to reduce the attack surface dramatically.
iThemes will ensure you stay up to date with the latest security threats and news in the WordPress community. If you are new to WordPress, iThemes free WordPress training might be exactly what you need for a great start.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.