wiki/clients/current/skaalen/2026-04-01-virtual-tour-iframe-fix.md Layer 2 article Client: Skaalen Retirement Services 395 words Updated: 2026-04-01
↓ MD ↓ PDF
skaalen wordpress security-headers iframe virtual-tours bug-fix

Virtual Tour iFrame Fix — 2026-04-01

Overview

Virtual tours on Skaalen community pages were displaying a "content is blocked — contact the site owner" error. The issue was diagnosed and resolved during the [1]. Root cause was a security header blocking iframe embeds — a side effect of a prior plugin removal.

Affected Client

[2]

Root Cause

Skaalen's WordPress site previously used the Really Simple Security plugin to manage security headers. That plugin was removed some time ago because it was causing widespread 500 errors across hosted sites. When the plugin was removed, a custom security header configuration was put in place as a workaround — but that header was set to block iframes, which broke the virtual tour embeds.

Because the headers were no longer managed by a visible plugin, the configuration was easy to overlook during troubleshooting.

"So I think if we run into this again, where we have an iframe or something that's being blocked, it's a security header, almost for sure." — Mark Hope

Resolution

Mark identified and corrected the security header that was blocking iframe content. The fix was applied site-wide (not per-page), restoring virtual tours across all affected community pages.

An AI agent was used to locate the header configuration. After the fix, the agent was instructed to create memory/documentation files recording where the security headers live and what was changed, so future troubleshooting can be faster.

Diagnostic Notes for Future Reference

Sources

  1. 2026 04 01 Weekly Call Melissa|2026 04 01 Weekly Call With Melissa
  2. Index|Skaalen Retirement Services
  3. Wordpress Security Headers Iframe Blocking|Wordpress Security Headers & Iframe Blocking
  4. Index|Skaalen Client Index
  5. 2026 04 01 Weekly Call Melissa|2026 04 01 Weekly Call — Melissa