x-frame-options is a HTTP header - a frontend framework isn’t able to set that. Back end frameworks can, and probably should - or at least give you the option to with a default enabled value.

While WordPress could be configured to set it, it probably shouldn’t do it in the PHP - the installation guides should be telling you how to do it in Apache HTTPD or Nginx, with a fallback to doing it in PHP if changing the server config isn’t available.