The allowed_http_origins WordPress PHP filter allows you to change the origin types allowed for HTTP requests.
Usage
add_filter('allowed_http_origins', 'your_custom_function');
function your_custom_function($allowed_origins) {
// your custom code here
return $allowed_origins;
}
Parameters
- $allowed_origins (string[]): Array of default allowed HTTP origins.
- stringNon-secure URL for admin origin.
- stringSecure URL for admin origin.
- stringNon-secure URL for home origin.
- stringSecure URL for home origin.
More information
See WordPress Developer Resources: allowed_http_origins
Examples
Add a custom allowed origin
Add a custom domain to the list of allowed HTTP origins.
add_filter('allowed_http_origins', 'add_custom_allowed_origin');
function add_custom_allowed_origin($allowed_origins) {
$allowed_origins[] = 'https://www.customdomain.com';
return $allowed_origins;
}
Allow all origins
Allow all HTTP origins for CORS requests.
add_filter('allowed_http_origins', 'allow_all_origins');
function allow_all_origins($allowed_origins) {
return '*';
}
Remove a specific origin
Remove a specific origin from the list of allowed HTTP origins.
add_filter('allowed_http_origins', 'remove_specific_origin');
function remove_specific_origin($allowed_origins) {
$index = array_search('https://www.unwantedorigin.com', $allowed_origins);
if ($index !== false) {
unset($allowed_origins[$index]);
}
return $allowed_origins;
}
Restrict to specific origins
Restrict allowed HTTP origins to a predefined list.
add_filter('allowed_http_origins', 'restrict_to_specific_origins');
function restrict_to_specific_origins($allowed_origins) {
return array('https://www.alloweddomain1.com', 'https://www.alloweddomain2.com');
}
Allow subdomains of the main domain
Allow all subdomains of the main domain as HTTP origins.
add_filter('allowed_http_origins', 'allow_subdomains');
function allow_subdomains($allowed_origins) {
$main_domain = 'example.com';
$allowed_origins[] = "https://*.{$main_domain}";
return $allowed_origins;
}