This isn't so much a PHP vulnerability as it is a "not added" feature to your web server.
You can of course throw in header("X-Frame-Options=SAMEORIGIN"); into every page...but that's not feasible simply read below and add the required data to your HTTPd config file.
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options