Widget Not Showing on Client Site

SureFeedback uses cross-domain communication to collect comments on all your client’s websites. Most of the time, website setup goes smoothly, but sometimes you’ll hit a snag and wonder why it’s not functioning properly.

Verify the website URL is correct.

Ensure your client’s Website URL 100% matches the site you’re collecting feedback. This includes HTTP vs HTTPS.

Ensure your website is not in “Draft” status

Sometimes a website project can get inadvertently set to “draft” mode. While we try to force this to always “publish” 3rd party plugins can interfere with the post status and cause this issue. You can fix this on your “All Websites” page. Click “Quick Edit” next to your website project and change the status to “published”.

SSL Issues

It’s recommended that both your site and your client’s site use SSL. It’s the safest way to communicate cross-domain. In fact, you can get SSL, free on your site or your client’s site right now! Cloudflare offers this option for all users, free of charge, regardless of your host:


Cross-domain communication can get tricky if both your site and your clients’ site don’t have the same SSL protocol (i.e. you’re using SSL but your clients’ site is not). Here are both scenarios:

1. Your site is using SSL, but your client’s site is not.

In this case, you’ll want to make sure you’re not forcing all your site’s URLs to load over HTTPS. The SureFeedback embed code is protocol agnostic, which means it can load over HTTP or HTTPS. However, if you’re forcing all of your website’s URLs to load over HTTPS this can cause the widget to be forced to load over HTTPS. And since your client’s site does not have SSL, it won’t load. 

To fix this, you’ll need to edit your .htaccess file to exclude the SureFeedback embed code from redirecting to ssl. It should look something like this:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

You’ll want to add a conditional to exclude redirects if the ph_apikey variable is present:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteCond %{QUERY_STRING} !ph_apikey=([^&]+) [NC] 
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This allows the website embed code able to load over either HTTP or HTTPS.

2. Your client’s site is using SSL, but your site is not.

If your client’s site is using HTTPS, your site MUST use HTTPS as well. Any site running SSL won’t allow non-secure (i.e. HTTP) resources to load on the page. You can often times get a free SSL certificate through your host for free. If not, you can score one for free from Cloudflare, regardless of your host. https://www.cloudflare.com/ssl/If you still can’t get the widget to load over ssl, a simple workaround is to install SureFeedback directly on your client’s site to avoid SSL issues.

Check your server’s X-Frame-Options setting.

The X-Frame-Options is a server setting used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. If this is set to DENY or SAMEORIGIN, SureFeedback won’t be able to iframe on your client’s site.  Typically, most hosts don’t add this to as WordPress needs this open to allow for the Embeds Feature, but sometimes a host will set this anyway. Your best bet is to contact your host about this issue, however, you can often solve this on your own as well.


If you’re running Apache, you’ll want to find the httpd.conf file on your server and remove any X-Frame-Options settings. If you can’t find your httpd.conf file, you may be on shared hosting, so check your .htaccess file at the root of your WordPress installation. It would look like this:

Header always append X-Frame-Options SAMEORIGIN 

If you’re running Apache, you’ll want to find the Nginx.conf file on your server and remove any X-Frame-Options settings. It would look like this:

add_header X-Frame-Options SAMEORIGIN; 

If you’re worried about security and don’t wish to have your site iframed on other sites, you can set your X-Frame-Options to include specific domains.

Make sure your browser isn’t blocking 3rd party cookies.

There’s an advanced setting in some browsers that lets users block 3rd party cookies. Unfortunately, this won’t allow login information to be found once you’re on an external site. In chrome, to fix this, enter:


In your browser and make sure “Block third-party cookies” is unchecked.

Brave Browser

Be sure you have “Shields Down” or the page will block all 3rd party content on the page, including the SureFeedback widget.

Was this doc helpful?
What went wrong?

We don't respond to the article feedback, we use it to improve our support content.

Need help? Contact Support
On this page

Ready to Give It a Try?

Start Your Free 14-Day Trial Now. No Obligation. No Reason Not To.

Trial Icon

14 Days Free Trial

Experience Our Platform Risk-Free

Docs Icon


Articles that cover common questions

24/7 World Class Support Team

Friendly Support

Reach Out – We’re Here to Help

Scroll to Top