By default WordPress sends an HTTP header to prevent iframe embedding on /wp_admin/
and /wp-login.php
:
X-Frame-Options: SAMEORIGIN
That’s a security feature. If you want to remove this header remove the filters:
remove_action( 'login_init', 'send_frame_options_header' );
remove_action( 'admin_init', 'send_frame_options_header' );
But you should really use the multisite feature as Tom J Nowell suggested.