Function and usage of allowed_http_request_hosts() in wordpress


Answers ( 1 )


    The allowed_http_request_hosts() function in WordPress plays a crucial role in managing and securing HTTP requests made by your WordPress site. This function is specifically used to determine whether the host of a given HTTP request is considered "safe" or "external." It's an important part of the WordPress security system that helps prevent unauthorized redirects and requests to potentially harmful or unknown websites.

    Function Signature

    allowed_http_request_hosts( bool $is_external, string $host ): bool

    Function Details

    • Purpose: This function is designed to mark certain redirect hosts as safe for HTTP requests. It's attached to the http_request_host_is_external filter, which is a part of WordPress's plugin API.

    • Functionality:

      • The function checks whether the given $host (the destination of an HTTP request) is considered safe.
      • It determines if this host is allowed for external HTTP requests, based on the WordPress security settings and any customizations provided by themes or plugins.


    • $is_external (bool, required): This parameter indicates whether the host is considered external. In most cases, "external" refers to any host outside of your WordPress installation's domain.

    • $host (string, required): This is the host you're checking. It's the domain or IP address part of a URL.

    Return Value

    • Return Type: bool (Boolean)
    • Description: The function returns true if the $host is allowed and safe for external HTTP requests, and false otherwise.

    Sample Usage

    Here's a hypothetical example of how allowed_http_request_hosts() might be used:

    function my_custom_allowed_hosts( $is_external, $host ) {
        // List of hosts that are considered safe
        $allowed_hosts = ['', ''];
        // Check if the host is in the list of allowed hosts
        if ( in_array( $host, $allowed_hosts ) ) {
            return true; // Mark as a safe host
        // Default behavior based on WordPress core or other plugins' settings
        return $is_external;
    // Attach the function to the filter
    add_filter( 'http_request_host_is_external', 'my_custom_allowed_hosts', 10, 2 );

    In this example, my_custom_allowed_hosts is a user-defined function that adds additional hosts to the list of safe, external HTTP request destinations. This is useful when you want to allow your WordPress site to interact with certain external APIs or services securely.

Leave an answer