The allowed_http_origins WordPress PHP filter allows you to change the origin types allowed for HTTP requests.
Usage
add_filter('allowed_http_origins', 'your_custom_function'); function your_custom_function($allowed_origins) { // your custom code here return $allowed_origins; }
Parameters
- $allowed_origins (string[]): Array of default allowed HTTP origins.
- stringNon-secure URL for admin origin.
- stringSecure URL for admin origin.
- stringNon-secure URL for home origin.
- stringSecure URL for home origin.
More information
See WordPress Developer Resources: allowed_http_origins
Examples
Add a custom allowed origin
Add a custom domain to the list of allowed HTTP origins.
add_filter('allowed_http_origins', 'add_custom_allowed_origin'); function add_custom_allowed_origin($allowed_origins) { $allowed_origins[] = 'https://www.customdomain.com'; return $allowed_origins; }
Allow all origins
Allow all HTTP origins for CORS requests.
add_filter('allowed_http_origins', 'allow_all_origins'); function allow_all_origins($allowed_origins) { return '*'; }
Remove a specific origin
Remove a specific origin from the list of allowed HTTP origins.
add_filter('allowed_http_origins', 'remove_specific_origin'); function remove_specific_origin($allowed_origins) { $index = array_search('https://www.unwantedorigin.com', $allowed_origins); if ($index !== false) { unset($allowed_origins[$index]); } return $allowed_origins; }
Restrict to specific origins
Restrict allowed HTTP origins to a predefined list.
add_filter('allowed_http_origins', 'restrict_to_specific_origins'); function restrict_to_specific_origins($allowed_origins) { return array('https://www.alloweddomain1.com', 'https://www.alloweddomain2.com'); }
Allow subdomains of the main domain
Allow all subdomains of the main domain as HTTP origins.
add_filter('allowed_http_origins', 'allow_subdomains'); function allow_subdomains($allowed_origins) { $main_domain = 'example.com'; $allowed_origins[] = "https://*.{$main_domain}"; return $allowed_origins; }