We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

How to fix iframe “refused to connect” errors in WordPress (X-Frame-Options and CSP)

Nathan Chapman

If you’ve ever tried embedding a WordPress page in an iframe and encountered a “refused to connect” error, you’re likely dealing with browser security headers blocking the request.

In this case, a WordPress page needed to be embedded on a subdomain, but was blocked due to the X-Frame-Options: SAMEORIGIN header. The solution required replacing outdated iframe restrictions with a modern, scoped Content Security Policy (CSP).

Issue Background

A WordPress site needed to embed a page into a separate subdomain environment:

  • Source page: a dedicated embed page
  • Target iframe location: a subdomain-based learning platform

The iframe failed to load and browsers displayed a “refused to connect” error due to restrictive response headers.

Diagnosis

The page response included an X-Frame-Options header set to SAMEORIGIN, which prevents embedding on any domain other than the exact same origin.

  • Subdomains are treated as separate origins
  • Legacy ALLOW-FROM directives are deprecated and unsupported
  • The security plugin in use only allowed limited header options

This made it impossible to allow iframe embedding through plugin settings alone.

Resolution Steps

1. Identify the affected page

Determined which specific page needed to be embedded and scoped the solution to that page only.

2. Override the X-Frame-Options header

Used a custom PHP snippet to remove the header for the targeted page.

3. Implement a Content Security Policy

Added a CSP header using frame-ancestors to allow only the required subdomain.

4. Use a code-based approach

add_action('send_headers', function() {
    if (is_page('embed-page-slug')) {
        header_remove('X-Frame-Options');
        header("Content-Security-Policy: frame-ancestors 'self' https://example-subdomain.com;");
    }
});

5. Test iframe functionality

Confirmed the page loads correctly within the iframe and no longer triggers browser blocking.

Final Outcome

  • The page embeds successfully on the intended subdomain
  • Security headers remain intact across the rest of the site
  • No global weakening of iframe protections

If your WordPress site is blocking iframe embeds or you’re dealing with security header conflicts, Freshy can help implement a safe and modern solution.
Contact Freshy

Nathan Chapmanhttps://freshysites.com/team/nathan-chapman/
Nathan was raised both a computer nerd and a musician. After receiving a bachelors degree in classical music (and quickly realizing it wasn’t an ideal career choice), he began to work in web development. With over 5 years of experience, he’s seen just about everything WordPress has to offer, and is always looking to learn more. He loves solving puzzles, building web pages, and custom coding anything he can think of. Although Boston born, he spends most of his time south of the border in Monterrey; the tacos are just impossible to give up.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Why WooCommerce orders can fail even when payment is successful (and how to diagnose it)
Next Post
How to hide WooCommerce product prices from non-logged-in users (and restrict store access)