Index: wp-login.php =================================================================== --- wp-login.php (revision 17822) +++ wp-login.php (working copy) @@ -368,7 +368,8 @@ setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN); // allow plugins to override the default actions, and to add extra actions if they want -do_action('login_form_' . $action); +do_action( 'login_form' ); +do_action( 'login_form_' . $action ); $http_post = ('POST' == $_SERVER['REQUEST_METHOD']); switch ($action) { Index: wp-includes/default-filters.php =================================================================== --- wp-includes/default-filters.php (revision 17822) +++ wp-includes/default-filters.php (working copy) @@ -215,6 +215,7 @@ // Login actions add_action( 'login_head', 'wp_print_head_scripts', 9 ); add_action( 'login_footer', 'wp_print_footer_scripts' ); +add_action( 'login_form', 'send_frame_options_header', 10, 0 ); // Feed Generator Tags foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) { @@ -248,6 +249,7 @@ add_action( 'wp_scheduled_delete', 'wp_scheduled_delete' ); add_action( 'before_wp_tiny_mce', 'wp_print_editor_js' ); add_action( 'after_wp_tiny_mce', 'wp_preload_dialogs', 10, 1 ); +add_action( 'admin_init', 'send_frame_options_header', 10, 0 ); // Navigation menu actions add_action( 'delete_post', '_wp_delete_post_menu_item' ); Index: wp-includes/functions.php =================================================================== --- wp-includes/functions.php (revision 17822) +++ wp-includes/functions.php (working copy) @@ -4534,4 +4534,16 @@ return false; } +/** + * Send a HTTP header to limit rendering of pages to same origin iframes. + * + * @link https://developer.mozilla.org/en/the_x-frame-options_response_header + * + * @since 3.2.0 + * @return none + */ +function send_frame_options_header() { + @header( 'X-Frame-Options: SAMEORIGIN' ); +} + ?>