I have an iframe on http://foo.example.com which targets to http://bar.example.com.
On http://bar.example.com is a WordPress installation. I'm able to view the page and click on all pages and post but when I try to go to the backend I get
Refused to display document because display forbidden by X-Frame-Options.
and the request is aborted.
According to this question I aded this header which gets send successfully:
header('X-Frame-Options: GOFORIT');
What else can limit the access to just the dashboard (and the login screen)?
I have access to both subdomains and can use a htaccess as well
According to this, in WordPress Answers, Receiving “This content cannot be displayed in a frame” error on login page, WordPress sends a special header
X-Frame-Options: SAMEORIGIN
that prevents clickjacking. And hence, embedding the admin as an iframe.
It is possible to eliminate this header removing a couple of actions from wp-includes/default-filters.php, but at your own risk.
Someone might register a domain with a very similar name, embed your login as background iframe and log the login credentials when you try to type them in.
Please, read the full Q&A at WPSE.