Using WordPress ‘allowed_http_origins’ PHP filter

The allowed_http_origins WordPress PHP filter allows you to change the origin types allowed for HTTP requests.

Usage

add_filter('allowed_http_origins', 'your_custom_function');
function your_custom_function($allowed_origins) {
    // your custom code here
    return $allowed_origins;
}

Parameters

  • $allowed_origins (string[]): Array of default allowed HTTP origins.
    • stringNon-secure URL for admin origin.
    • stringSecure URL for admin origin.
    • stringNon-secure URL for home origin.
    • stringSecure URL for home origin.

More information

See WordPress Developer Resources: allowed_http_origins

Examples

Add a custom allowed origin

Add a custom domain to the list of allowed HTTP origins.

add_filter('allowed_http_origins', 'add_custom_allowed_origin');
function add_custom_allowed_origin($allowed_origins) {
    $allowed_origins[] = 'https://www.customdomain.com';
    return $allowed_origins;
}

Allow all origins

Allow all HTTP origins for CORS requests.

add_filter('allowed_http_origins', 'allow_all_origins');
function allow_all_origins($allowed_origins) {
    return '*';
}

Remove a specific origin

Remove a specific origin from the list of allowed HTTP origins.

add_filter('allowed_http_origins', 'remove_specific_origin');
function remove_specific_origin($allowed_origins) {
    $index = array_search('https://www.unwantedorigin.com', $allowed_origins);
    if ($index !== false) {
        unset($allowed_origins[$index]);
    }
    return $allowed_origins;
}

Restrict to specific origins

Restrict allowed HTTP origins to a predefined list.

add_filter('allowed_http_origins', 'restrict_to_specific_origins');
function restrict_to_specific_origins($allowed_origins) {
    return array('https://www.alloweddomain1.com', 'https://www.alloweddomain2.com');
}

Allow subdomains of the main domain

Allow all subdomains of the main domain as HTTP origins.

add_filter('allowed_http_origins', 'allow_subdomains');
function allow_subdomains($allowed_origins) {
    $main_domain = 'example.com';
    $allowed_origins[] = "https://*.{$main_domain}";
    return $allowed_origins;
}