Make WordPress Core

Opened 12 years ago

Closed 7 years ago

#17675 closed defect (bug) (invalid)

Masked Domain Issue Introduced with New Update

Reported by: ital_dj's profile ital_dj Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.1.3
Component: Administration Keywords: dev-feedback needs-patch
Focuses: Cc:



I'm experiencing an issue accessing my wp-admin login page, only when using a masked domain.

My root setup is configured as so:

The domain I'm using to access it is located here:

When I use the root domain to access the login page directly, there's no problem. But, when I go to, or click on any login links while at the site, the page doesn't load. The title bar will load, but nothing else.

This is a new issue introduced with the 3.1.3 update. The masked domain was working prior to 3.1.3.

I've tried this both on Safari & Firefox (latest versions), using Mac OS X.

Change History (12)

#1 @ocean90
12 years ago

  • Keywords reporter-feedback added; needs-patch removed

Any error messages in your logs? Try also WP_DEBUG

#2 @ital_dj
12 years ago

  • Keywords reporter-feedback removed

Replying to ocean90:

Any error messages in your logs? Try also WP_DEBUG

I've gotten tons of error messages with plugins enabled. However, after disabling all plugins, I receive no error. There's also no server error logs.

By clicking login using the redirect site, nothing happens. The website loading is cancelled, and I'm left at the same page. By navigating to, I still receive a blank page (cancelled).

I've setup another redirect via a subdomain.
This redirect is

It is an unmasked redirect, which leads directly to, and it loads without a problem.

Last edited 12 years ago by ital_dj (previous) (diff)

#3 @sivel
12 years ago

  • Keywords reporter-feedback added

When you refer to a 'masked' domain. What exactly are you referring to? Does that hostname have the same IP as the "root" domain? And is apache configured with a serveralias to accept both domains for that single site?

This is the way that I have it configured, and the default behavior of WP is to redirect you from to If not by actually redirecting it will have in the actual href of the link you click.

#4 @ital_dj
12 years ago

What I mean is I've got a separate domain, which I've redirected to the main site. I've redirected it with masking enabled, so that you do not see the name of the true site in your address bar.

I've checked the IP of the real site and my domain, and it appears to be different. I'll try changing the IP.

I don't believe I've made any apache configurations. If so, could you point me to some directions?

I'll tell you one thing, when I hover over any links on the WP site, it shows as the true site in the status bar, and not the redirected domain.

#5 follow-up: @sivel
12 years ago

Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.

#6 in reply to: ↑ 5 @ital_dj
12 years ago

Replying to sivel:

Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.

It shouldn't be re-writing anything, should it? I don't think it's even able to...

#7 @sivel
12 years ago

To WordPress the "real" domain is the one configured in Settings->General, and it will always use that domain/hostname to build links throughout the site. If the links throughout the site are pointing to the "masked" domain then something other than WordPress has to be doing that, such as a plugin, or the proxy.

#8 @sivel
12 years ago

If it is not a proxy, but instead a iframe/frame being used to do the masking, then it is likely due to #12293 and [18013]. In which case, what you are experiencing is the intended side effect.

You can try removing this functionality to see if it is this by adding the following to a plugin:

remove_action( 'login_init',          'send_frame_options_header',     10, 0 );
remove_action( 'admin_init',                 'send_frame_options_header', 10, 0 );

#9 @ital_dj
12 years ago


Your code solved the issue. I had figured it was that new "clickjacking" security feature.

So how do I go about fixing this issue, whilst keeping the clickjack security enabled?

Changing the IP on that domain gives me an Apache error...

Optimally, I want all site links to hover with "" as the link. I've obviously setup my redirect in a way that Wordpress doesn't like. Do you have any suggestions?

Additionally, why would a domain redirect be using an iFrame? You'd figure it would "redirect" and not build a frame on top, wouldn't you?

Much thanks for the help so far!

(As an alternative, if this isn't easy, can we adjust the clickjacking feature to allow a specific website to "clickjack"? In this case, allow only my redirect to "clickjack"?)

Last edited 12 years ago by ital_dj (previous) (diff)

#10 @iseulde
10 years ago

  • Keywords dev-feedback added; reporter-feedback removed

#11 @chriscct7
8 years ago

  • Keywords needs-patch added

#12 @mdawaffe
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

This is WordPress acting as it should.

To allow embedding within a frame, @sivel's code above works. You can potentially restrict what domains your site is allowed to be iframed inside with the ALLOW-FROM value:

X-Frame-Options: ALLOW-FROM

(Though I don't know what browsers support that value.)

Since this is not a bug with WordPress, I'm closing this ticket. If this is still an issue, I suggest you either seek help for your particular situation in the community forums ( or contact your host for assistance setting up these domains correctly.

Thanks for filing this (so long ago) with us. (Please don't let the "invalid" resolution dissuade you from filing more tickets in the future - it's just the word we use :))

Note: See TracTickets for help on using tickets.