---
title: Virtual Tour iFrame Fix — 2026-04-01
type: article
created: '2026-04-01'
updated: '2026-04-01'
source_docs:
- raw/2026-04-01-weekly-call-w-melissa-134752335.md
tags:
- skaalen
- wordpress
- security-headers
- iframe
- virtual-tours
- bug-fix
layer: 2
client_source: Skaalen Retirement Services
industry_context: senior-living
transferable: false
---

# Virtual Tour iFrame Fix — 2026-04-01

## Overview

Virtual tours on Skaalen community pages were displaying a "content is blocked — contact the site owner" error. The issue was diagnosed and resolved during the [[wiki/meetings/2026-04-01-weekly-call-melissa|2026-04-01 weekly call with Melissa]]. Root cause was a security header blocking iframe embeds — a side effect of a prior plugin removal.

## Affected Client

**[[wiki/clients/current/skaalen/index|Skaalen Retirement Services]]**

- **Pages affected:** Multiple community pages (e.g., Skaalen Dale, Skaalen Village) that include embedded virtual tour iframes provided by the client as embed codes
- **Symptom:** Browser displayed "The content is blocked. Contact the site owner to fix the issue."

## Root Cause

Skaalen's WordPress site previously used the **Really Simple Security** plugin to manage security headers. That plugin was removed some time ago because it was causing widespread 500 errors across hosted sites. When the plugin was removed, a custom security header configuration was put in place as a workaround — but that header was set to block iframes, which broke the virtual tour embeds.

Because the headers were no longer managed by a visible plugin, the configuration was easy to overlook during troubleshooting.

> "So I think if we run into this again, where we have an iframe or something that's being blocked, it's a security header, almost for sure." — Mark Hope

## Resolution

Mark identified and corrected the security header that was blocking iframe content. The fix was applied site-wide (not per-page), restoring virtual tours across all affected community pages.

An AI agent was used to locate the header configuration. After the fix, the agent was instructed to create memory/documentation files recording where the security headers live and what was changed, so future troubleshooting can be faster.

## Diagnostic Notes for Future Reference

- **If iframes are blocked on any Asymmetric-hosted WordPress site**, check the custom security header configuration first — this is the most likely culprit, especially on sites where Really Simple Security was previously installed and removed.
- The security headers are **not in a plugin**; they are set via a custom workaround. Look in server-level or theme-level configuration files rather than the WordPress plugin list.
- The agent created two memory files documenting the header location and fix details for this site.

## Related

- [[wiki/knowledge/wordpress-security-headers-iframe-blocking|WordPress Security Headers & iFrame Blocking]] *(pattern to document)*
- [[wiki/clients/current/skaalen/index|Skaalen Client Index]]
- [[wiki/meetings/2026-04-01-weekly-call-melissa|2026-04-01 Weekly Call — Melissa]]